CVE-2025-61757
Oracle Identity Manager Pre-Authentication Remote Code Execution
Critical pre-authentication RCE in Oracle Identity Manager (CVSS 9.8). Attackers bypass authentication via URL suffix manipulation and achieve code execution through Groovy annotation abuse. Over 300,000 attack attempts recorded globally since zero-day exploitation began in August 2025.
CISA KEV deadline: December 12, 2025. Zero-day exploitation observed from August 30 - September 9, 2025, prior to patch release. Over 300,000 attack attempts across 18+ countries targeting computing, healthcare, and business sectors.
CVE-2025-61757 is a critical pre-authentication remote code execution vulnerability in Oracle Identity Manager (OIM), part of Oracle Fusion Middleware. The flaw exploits:
Attack Chain
- Authentication Bypass: Append
;.wadlor?WSDLto protected endpoints - Target Groovy Endpoint: POST to groovyscriptstatus endpoint
- Annotation Abuse: Craft Groovy script with malicious annotation processors
- RCE Achieved: Execute arbitrary code during compilation phase
Key Facts
- CVSS 9.8 Critical - No authentication required
- Affects Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0
- Zero-day exploitation observed Aug 30 - Sep 9, 2025
- 300,000+ attack attempts in 18+ countries
- Primary targets: Computing, Healthcare, Business Services
Full report content will be loaded from Artemis.
Contact us if you need the complete report.
Detect Oracle Identity Manager Exploitation with BRACE
BRACE provides detection for enterprise identity infrastructure attacks including:
- Oracle Fusion Middleware exploitation patterns
- Authentication bypass attempt detection
- Groovy/WebLogic RCE indicators
- Identity system compromise detection
Protect Your Enterprise Identity Infrastructure
BRACE monitors for exploitation of identity management vulnerabilities and provides continuous detection for CISA KEV listed CVEs.