CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerability

CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-61757, a critical vulnerability in Oracle Identity Manager, to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, with a CVSS score of 9.8, allows unauthenticated remote code execution in affected versions 12.2.1.4.0 and 14.1.2.1.0.

Ideal security models assume robust authentication and authorization, but flawed implementation can bypass these safeguards. This vulnerability highlights the risk of relying on simple string matching for security filters, potentially costing organizations significant remediation expenses and exposing them to data breaches and system compromise.

Key Insights

• CVE-2025-61757, 2025: A critical Oracle Identity Manager vulnerability allowing unauthenticated remote code execution.
• WADL/WSDL Bypass: Attackers exploit a faulty allow-list mechanism by appending ”?WSDL” or “;.wadl” to URIs, bypassing authentication checks.
• KEV Catalog: CISA’s KEV catalog mandates patching by FCEB agencies within 14 days of inclusion, accelerating remediation.

Working Example

# Example malicious POST request (based on observed honeypot activity)
POST /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl HTTP/1.1
Content-Type: application/json
Content-Length: 556

{
  "groovyScript": "/* Malicious Groovy code for RCE */"
}

Practical Applications

• Enterprise Security: Organizations using Oracle Identity Manager must prioritize patching to mitigate the risk of compromise.
• Pitfall: Relying on naive string matching (e.g., allow-lists based on URI patterns) for security is prone to bypass and should be avoided in favor of more robust authentication and authorization mechanisms.

References:

• https://thehackernews.com/2025/11/cisa-warns-of-actively-exploited.html