CVE-2025-61757 is a critical authentication-bypass vulnerability in Oracle Identity Manager (OIM) within Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.1.0, enabling pre-authentication remote code execution via exposed REST APIs, mapped to MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation). Attackers can append parameters like ?WSDL or ;.wadl to OIM REST paths to trick security filters into treating protected endpoints as public, granting unauthenticated access to sensitive functionality. Once inside, adversaries can abuse a Groovy script compilation endpoint to execute malicious code during compilation using Groovy’s annotation-processing features, achieving full RCE on vulnerable OIM instances. Oracle issued an emergency alert in late October 2025, and CISA added CVE-2025-61757 to its Known Exploited Vulnerabilities catalog on November 21, confirming active exploitation by multiple threat actors. Imperva’s telemetry has recorded more than 300,000 attack attempts over a week targeting OIM deployments across at least 18 countries, with the US and France hit hardest and sectors such as computing, healthcare, and business services bearing the brunt. Because Oracle Identity Manager underpins identity and access management for many large enterprises, exploitation can give adversaries a direct path into identity stores, admin consoles, and downstream applications integrated with OIM. The business impact is significant: a compromised identity platform can facilitate mass account takeover, privilege escalation, and persistence across critical business systems, potentially leading to data breaches, ransomware deployment, and regulatory violations under GDPR, HIPAA, and sector-specific regulations. Attackers gaining RCE on OIM may also tamper with identity workflows, audit logs, and connectors to other systems, complicating incident response and undermining trust in identity data. Organizations should urgently apply Oracle’s patches and virtual patching protections, including WAF rules that block exploit patterns such as suspicious ?WSDL and ;.wadl suffixes on OIM endpoints. Imperva customers with Elastic WAF, Cloud WAF, or on-prem WAF reportedly receive out-of-the-box coverage, but defenders should still monitor for anomalous requests and follow-on activity from potentially compromised OIM hosts. Segmentation of identity infrastructure, strict access controls to OIM admin interfaces, and thorough log review for unusual compilation or script activities are critical while patching and cleanup proceed.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: CVE-2025-61757 exposes organizations running Oracle Identity Manager to direct compromise of their core identity platform via unauthenticated RCE, enabling attackers to take over privileged accounts and pivot across integrated systems. Successful exploitation can drive large-scale data breaches, outages, and regulatory penalties, particularly in finance, healthcare, and government sectors that depend heavily on Oracle IAM and must meet strict compliance requirements. Technical Context: The vulnerability maps to T1190 exploitation of a public-facing application combined with T1068 privilege escalation, as attackers abuse URL suffix tricks to bypass OIM REST API authentication and then leverage a Groovy compilation endpoint for code execution. High-volume exploitation attempts observed globally underscore the need for rapid patching, robust WAF protections, and careful monitoring of identity infrastructure for signs of compromise.
⚡Strategic Intelligence Guidance
- Identify all Oracle Identity Manager instances in your environment and apply the latest Oracle patches addressing CVE-2025-61757 as an emergency change with board-level visibility where appropriate.
- Deploy or update WAF rules to detect and block suspicious OIM REST API requests using parameters such as ?WSDL and ;.wadl, and monitor logs for historical evidence of such patterns.
- Segment identity infrastructure from general application networks, strictly limit access to OIM administration interfaces, and enforce MFA for administrative accounts.
- Perform targeted threat hunting and log review on OIM servers for unusual Groovy compilation activity, anomalous outbound connections, and changes to identity workflows or privileged accounts.
Threats
web exploitationidentity platform compromise
Targets
Oracle Identity Manager serversenterprise IAM infrastructureidentity-aware applications