CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerability - The Hacker News

CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerability Ravie LakshmananNov 22, 2025Zero-Day / Software Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting Oracle Identity Manager to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2025-61757 (CVSS score: 9.8), a case of missing authentication for a critical function that can result in pre-authenticated remote code execution. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0. It was addressed by Oracle as part of its quarterly updates released last month. "Oracle Fusion Middleware contains a missing authentication for a critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager," CISA said. Searchlight Cyber researchers Adam Kues and Shubham Shah, who discovered the flaw, said it can permit an attacker to access API endpoints that, in turn, can allow them "to manipulate authentication flows, escalate privileges, and move laterally across an organization's core systems." Specifically, it stems from a bypass of a security filter that tricks protected endpoints into being treated as publicly accessible by simply adding "?WSDL" or ";.wadl" to any URI. This, in turn, is the result of a faulty allow-list mechanism based on regular expressions or string matching against the request URI. "This system is very error-prone, and there are typically ways to trick these filters into thinking we're accessing an unauthenticated route when we're not," the researchers noted. The authentication bypass can then be paired with a request to the "/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus" endpoint to achieve remote code execution by sending a specially crafted HTTP POST. While the endpoint is only meant for checking the syntax of Groovy code and not executing it, Searchlight Cyber said it was able to "write a Groovy annotation that executes at compile time, even though the compiled code is not actually run." The addition of CVE-2025-61757 to the KEV catalog comes days after Johannes B. Ullrich, the dean of research at the SANS Technology Institute, said an analysis of honeypot logs revealed several attempts to access the URL "/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl" via HTTP POST requests between August 30 and September 9, 2025. "There are several different IP addresses scanning for it, but they all use the same user agent, which suggests that we may be dealing with a single attacker," Ullrich said. "Sadly, we did not capture the bodies for these requests, but they were all POST requests. The content-length header indicated a 556-byte payload." This indicates that the vulnerability may have been exploited as a zero-day vulnerability, well before a patch was shipped by Oracle. The IP addresses from which the attempts originated are listed below - 89.238.132[.]76 185.245.82[.]81 138.199.29[.]153 In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary patches by December 12, 2025, to secure their networks. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  CISA, cybersecurity, Identity Management, oracle, remote code execution, software security, Threat Intelligence, Vulnerability, zero-day Trending News ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Popular Resources Identity Controls Checklist: Find Missing Protections in Apps Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026