CVE-2025-61757 – Oracle Identity Manager Pre-Auth RCE Exploited

CVE-2025-61757 affects Oracle Identity Manager (OIM) and enables a pre-authentication remote code execution exploit through a REST API authentication bypass chain. Attackers abuse URL parameters such as ?WSDL or ;.wadl to trick the security filter into treating protected REST endpoints as public, then reach a Groovy script compilation endpoint and execute arbitrary code at compile time, mapping to MITRE ATT&CK T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter). The vulnerability was fixed in Oracle’s October 2025 Critical Patch Update, but CISA has added it to the Known Exploited Vulnerabilities (KEV) catalog after evidence of in-the-wild exploitation and likely zero-day use. Once an attacker reaches the Groovy compilation endpoint without authentication, they can abuse annotation-processing to run malicious Groovy payloads during compilation, turning what should be a non-executing script endpoint into an RCE primitive. Reported attack activity includes automated HTTP POST scans to /iam/governance/applicationmanagement/templates;.wadl and related endpoints from multiple IPs, all using the same user agent, suggesting a single campaign. Because OIM typically fronts enterprise identity governance and provisioning flows, successful exploitation can lead to full compromise of identity stores, admin consoles and downstream applications federated with OIM. From a business standpoint, exploited Oracle Identity Manager servers can enable attackers to provision or modify privileged accounts, reset credentials, and pivot into ERP, HR and CRM systems. This raises severe risks for GDPR, SOX and sectoral regulations where privileged identity misuse or unauthorized access to financial and HR systems constitute a reportable breach. Active exploitation and inclusion in CISA’s KEV catalog significantly increase the urgency for government and critical infrastructure operators, where unpatched OIM instances represent a high-value target. Oracle has shipped patches in the October 21, 2025 update cycle, and CISA has set a binding deadline for U.S. Federal Civilian Executive Branch agencies to remediate. Organizations running Oracle Identity Manager should immediately identify exposed OIM endpoints, apply the latest CPU, and verify that vulnerable REST paths are no longer externally reachable. Short-term mitigations include restricting OIM access to trusted networks, deploying WAF rules blocking ?WSDL and ;.wadl probes, and monitoring logs for suspicious Groovy compilation requests and anomalous identity administration actions.