CISA officially added a critical vulnerability, CVE-2025-61757, to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgent need for organizations using Oracle Identity Manager to patch immediately. This vulnerability, rated with a CVSS score of 9.8, allows unauthenticated remote code execution (RCE) through Oracle Identity Manager’s REST WebServices, posing a severe risk to enterprise identity management security.
What is CVE-2025-61757?
CVE-2025-61757 is a pre-authentication remote code execution flaw discovered in Oracle Identity Manager (OIM) versions 12.2.1.4.0 and 14.1.2.1.0. The vulnerability stems from an authentication bypass in a centralized Java security filter protecting the OIM REST management interface. Attackers can exploit this flaw via HTTP without any authentication, enabling them to execute arbitrary commands on the vulnerable host remotely.
Oracle Identity Manager is a crucial enterprise security platform that manages user lifecycles, entitlements, and access across cloud and on-premises environments. An exploit of CVE-2025-61757 enables attackers to potentially take over the entire identity tier, manipulate user roles, and pivot within enterprise systems, making it a highly leveraged attack vector.
Impact and Threat Landscape
Successful exploitation effectively grants full system compromise, impacting the confidentiality, integrity, and availability of the identity management infrastructure. The vulnerability’s high CVSS score of 9.8 signals its criticality in real-world attacks. The flaw is currently being actively exploited in the wild by threat actors, increasing the urgency for immediate mitigation.
CISA’s addition of this vulnerability to the KEV catalog further mandates Federal Civilian Executive Branch (FCEB) agencies to apply patches by December 12, 2025, per Binding Operational Directive 22-01 guidelines.
Technical Insights
The vulnerability results from a two-stage exploit chain:
- Pre-authentication bypass of a security filter that erroneously allows unrestricted access to protected REST APIs.
- Abuse of high-privilege administrative functions exposed through OIM’s REST services, culminating in remote code execution.
This pattern highlights a common identity and access management anti-pattern: exposing powerful administrative APIs without adequate authentication controls, leading to critical security failures.
Mitigation and Recommendations
Oracle addressed CVE-2025-61757 in its October 2025 Critical Patch Update (CPU), released on October 21. Organizations running affected Oracle Identity Manager versions should apply these security patches without delay.
Additional mitigation measures include:
- Eliminating public network access to OIM REST management interfaces.
- Rotating privileged credentials and enforcing multi-factor authentication where possible.
- Monitoring and baselining OIM configuration changes to detect unauthorized activities.
- Segmenting the identity management tier to contain potential breaches.
Why This Matters
Identity management platforms like Oracle Identity Manager serve as the trust foundation of enterprise security. A vulnerability of this magnitude threatens the entire identity ecosystem and downstream applications. As enterprises increasingly rely on automated identity and access governance, securing these systems is paramount.
