The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued critical warnings regarding CVE-2025-61757, a pre-authentication remote code execution vulnerability affecting Oracle Identity Manager that is actively being exploited in real-world cyberattacks. The vulnerability, rated with a maximum severity CVSS score of 9.8, has been added to CISA's Known Exploited Vulnerabilities catalog following evidence that threat actors have been weaponizing this flaw since at least August 2025-months before Oracle released a patch in October.
Security researchers at Searchlight Cyber's Asset note team discovered that Oracle Identity Manager's authentication mechanism contains a critical logical flaw that attackers can trivially bypass. The vulnerability resides in the Security Filter mechanism defined in the application's web.xml configuration, which uses flawed regular expression matching to maintain an allow-list of unauthenticated URIs.
The vulnerability specifically affects REST API endpoints that require authentication. However, attackers can bypass these protections by appending specific matrix parameters-either? WSDL or ;.wadl-to any request URI. This simple trick exploits a logical discrepancy between how the Security Filter interprets request URIs and how Java's underlying servlet engine processes them.
When an attacker requests /iam/governance/applicationmanagement;.wadl, the filter incorrectly treats the request as if it were accessing a harmless Web Application Description Language file and allows it through. However, the underlying Java servlet ignores the appended parameter and processes the request as a legitimate API call to restricted management endpoints. This authentication bypass requires absolutely no credentials or prior system access.
Once attackers bypass authentication, they gain access to the /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus endpoint. This endpoint is intended solely for syntax-checking Groovy scripts-a legitimate administrative function that should compile code without executing it. However, researchers demonstrated that this endpoint can be weaponized for arbitrary code execution.
By injecting a specially crafted Groovy script containing the @ASTTest annotation, attackers force the Java compiler to execute arbitrary code during the compilation phase. The @ASTTest annotation is a legitimate Groovy feature that executes during abstract syntax tree transformation-a pre-compilation stage. This technique transforms a benign syntax-checking utility into a fully functional remote shell, granting attackers complete system control.
Evidence indicates this vulnerability was actively exploited as a zero-day vulnerability well before Oracle released patches. Security researcher Johannes B. Ullrich from SANS documented honeypot logs revealing multiple exploitation attempts between August 30 and September 9, 2025. The attacks specifically targeted the /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl endpoint using POST requests with 556-byte payloads.
Multiple distinct IP addresses were observed conducting these exploitation attempts, though they all utilized identical User-Agent strings—suggesting either a single sophisticated attacker or closely coordinated threat actors. The source IP addresses identified include:
89.238.132[.]76
185.245.82[.]81
138.199.29[.]153
Oracle released patches addressing CVE-2025-61757 as part of its October 2025 Critical Patch Update. CISA officially added the vulnerability to its Known Exploited Vulnerabilities catalog on November 21, 2025, after confirming active exploitation in the wild.
CVE-2025-61757 affects Oracle Identity Governance Suite versions 12c (specifically 12.2.1.4.0) and 14.1.2.1.0. Additionally, a related vulnerability in Oracle Access Manager (CVE-2021-35587) was exploited in January 2025 to breach Oracle Cloud's own login service, exposing over six million records. The current vulnerability demonstrates that Oracle's identity infrastructure remains a high-value target for sophisticated threat actors.
Federal Civilian Executive Branch agencies are required to apply Oracle's security patches by December 12, 2025, per binding operational directive. Organizations not meeting this deadline must either apply alternative mitigation strategies or discontinue Oracle Identity Manager deployment.
Immediate remediation requires deploying the latest Oracle Critical Patch Update, reviewing external exposure of identity services, monitoring for suspicious access to administrative APIs, and reviewing authentication logs for evidence of prior exploitation using the URL patterns described above.
The combination of trivial authentication bypass and reliable code execution makes CVE-2025-61757 an exceptionally dangerous vulnerability. As identity managers sit at the core of organizational access control systems, compromising these platforms can enable domain-wide or cloud-wide compromise facilitating ransomware deployment, data theft, and lateral movement throughout enterprise networks.