Critical Oracle Identity Manager Flaw Under Attack TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsCritical Flaw in Oracle Identity Manager Under ExploitationCritical Flaw in Oracle Identity Manager Under ExploitationbyRob WrightNov 24, 20252 Min ReadApplication SecurityInfamous Shai-hulud Worm Resurfaces From the DepthsInfamous Shai-hulud Worm Resurfaces From the DepthsbyAlexander CulafiNov 24, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadEndpoint SecurityChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryVulnerabilities & ThreatsCyberattacks & Data BreachesCybersecurity OperationsApplication SecurityNewsCritical Flaw in Oracle Identity Manager Under ExploitationThe exploitation of CVE-2025-61757 follows a breach of Oracle Cloud earlier this year as well as a recent extortion campaign targeting Oracle E-Business Suite customers.Rob Wright, Senior News Director, Dark ReadingNovember 24, 20252 Min ReadSource: GK Images via Alamy Stock PhotoA critical flaw in Oracle's Identity Manager has been exploited in the wild, marking the latest threat for customers of the enterprise software giant.CVE-2025-61757 is a remote code execution (RCE) vulnerability in the Identity Manager solution for Oracle Fusion Middleware. The flaw, which received a 9.8 CVSS score, was first disclosed and patched on Oct. 21 in Oracle's monthly security update along with 373 other vulnerabilities.AssetNote security researchers Adam Kues and Shubham Shah discovered the flaw earlier this year after taking a closer look at Oracle software following a breach of its cloud service that reportedly stemmed from exploitation of an older flaw, CVE-2021-35587. Searchlight Cyber, AssetNote's parent company, published a technical analysis of CVE-2025-61757 on Thursday, warning that the vulnerability was easily exploitable.The following day, the US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog. The scope of the exploitation activity is unclear, but federal civilian executive branch (FCEB) agencies have until Dec. 12 to patch CVE-2025-61757.A Semicolon Screws Up Identity ManagerIn Searchlight Cyber's research, Kues and Shah explained that the breach of Oracle Cloud earlier this year prompted them to examine the software around the cloud service's login host. The breach was tied to CVE-2021-35587, a vulnerability in Oracle Access Manager (OAM) that allowed the threat actor to achieve RCE on the service's host, login.us2.oraclecloud.com.Related:Fortinet Woes Continue With Another WAF Zero-Day Flaw"This marked one of the most significant compromises of a cloud provider to date, and ironically, it was because they were running their own software, albeit an outdated version without security patches applied," they wrote.The duo found another RCE flaw, CVE-2025-61757, in Oracle Identity Manager (OIM) that could have a similar impact to the 2021 vulnerability. "This pre-authentication RCE we found would also have been able to breach login.us2.oraclecloud.com, as it was running both OAM and OIM," Kues and Shah noted.After examining the code base, the researchers found exposed REST management APIs that had "lots of dangerous-looking functionality," they said. Eventually, Kues and Shah found they could completely bypass authentication for the APIs by tinkering with web routes and GET parameters — in some cases, by simply adding a semicolon to the destination URL.The root cause of the vulnerability, according to the researchers, was a common problem with security filters for Java applications. "The vulnerability our team discovered follows a familiar pattern in Java: filters designed to restrict authentication often contain easy-to-exploit authentication bypass flaws," Kues and Shah wrote. "Logical flaws in how Java interprets request URIs are a gift that continues giving when paired with matrix parameters."Related:Cursor Issue Paves Way for Credential-Stealing AttacksOracle customers should update their software as soon as possible, as CVE-2025-61757 is under active exploitation in the wild. The attacks on CVE-2025-61757 follow the Oracle Cloud breach earlier this year as well as the recent data theft and extortion campaign targeting Oracle E-Business Suite customers. About the AuthorRob WrightSenior News Director, Dark ReadingRob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob WrightMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsDo National Data Laws Carry Cyber-Risks for Large Orgs?Do National Data Laws Carry Cyber-Risks for Large Orgs?byNate Nelson, Contributing WriterNov 19, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersMissing 88% of Exploits: Rethinking KEV in the AI EraThe Straightforward Buyer's Guide to EDRThe True Cost of a Cyberattack - 2025 EditionHow to be a Better Threat HunterFrom the C-Suite to the SOC: Consolidating the Network Security SolutionsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The exploitation of CVE-2025-61757, a remote code execution (RCE) vulnerability within Oracle’s Identity Manager solution for Oracle Fusion Middleware, has been actively occurring in the wild, marking a significant and ongoing threat to Oracle customers. This vulnerability, initially disclosed and patched in Oracle’s October 2025 security update alongside 373 other vulnerabilities, received a CVSS score of 9.8, reflecting its critical severity. The analysis conducted by AssetNote security researchers Adam Kues and Shubham Shah revealed the flaw’s ease of exploitation, prompting immediate action from the Cybersecurity and Infrastructure Security Agency (CISA), which added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The scope of this exploitation is currently undefined, however, federal civilian executive branch (FCEB) agencies have been mandated to implement the necessary patches by December 12, 2025.

The discovery of CVE-2025-61757 stemmed from a deeper investigation following Oracle Cloud’s breach earlier in the year, an incident that was linked to the exploitation of CVE-2021-35587, a vulnerability in Oracle Access Manager (OAM). This initial breach, which allowed the threat actor to achieve RCE on the service’s host, login.us2.oraclecloud.com, drove Kues and Shah to meticulously examine the software around the cloud service’s login host. As they investigated, they unearthed another RCE vulnerability, CVE-2025-61757, within the Identity Manager, which mirrored the potential impact of the 2021 vulnerability. The researchers noted that the Identity Manager and Oracle Access Manager (OAM) were both running, providing a potential avenue for exploitation.

A key aspect of the vulnerability lies in its exploitable API. Kues and Shah found exposed REST management APIs that possessed “lots of dangerous-looking functionality,” according to their research. The critical element of the exploit involved manipulating web routes and GET parameters, achieving RCE by simply adding a semicolon to the destination URL. This underscores a common issue – logical flaws in how Java applications interpret request URIs, paired with matrix parameters, create a predictable and easily exploitable weakness.

The root cause of this issue, according to Rob Wright, Senior News Director at Dark Reading, reflects a widespread concern within Java security: flawed security filters. These filters, intended to restrict authentication, contain vulnerabilities that are repeatedly exploited due to predictable error patterns. The discovery of this vulnerability follows a familiar pattern in Java, where filters designed to restrict authentication often contain easily exploitable authentication bypass flaws.

The ongoing exploitation of CVE-2025-61757 is a direct consequence of previously identified vulnerabilities, including Oracle Cloud’s breach earlier in the year and a recent data theft and extortion campaign targeting Oracle E-Business Suite customers. This reinforces the importance of proactive patching and a robust vulnerability management program for organizations utilizing Oracle software. The situation highlights a broader trend within the cybersecurity landscape, where vulnerabilities in commonly used enterprise software repeatedly offer attackers a pathway for exploitation.