A critical vulnerability in Oracle Identity Manager, tracked as CVE-2025-61757, is being actively exploited in the wild, posing a significant threat to organizations using affected versions of Oracle Fusion Middleware. This flaw, which has a CVSS score of 9.8, allows unauthenticated attackers to compromise the Identity Manager via HTTP, exploiting a weakness in the REST WebServices component. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0 of the software.
The vulnerability, categorized under CWE-306, is a result of improper authentication controls, enabling remote code execution by attackers who gain network access. This has led to its inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog as of November 21, 2025, underscoring the urgency for organizations to address this security gap.
With an Exploit Prediction Scoring System (EPSS) of 0.878, the likelihood of exploitation is high, and the vulnerability has already been exploited within 30 days of its disclosure, as indicated by its Time to Exploit (TTE) metric of 30.2 days. The availability of two proof-of-concept (PoC) exploits further exacerbates the risk, providing attackers with the tools needed to leverage this flaw effectively.
Oracle Identity Manager is a critical component for managing user identities and access across enterprise environments, making this vulnerability particularly concerning. Successful exploitation can lead to unauthorized access and potential data breaches, compromising sensitive information and undermining organizational security.
Organizations using the affected versions of Oracle Identity Manager should prioritize patching to mitigate the risk of exploitation. The Security Severity Vulnerability Classification (SSVC) recommends immediate action, reflecting the critical nature of this threat. Oracle has released patches, and it is imperative that security teams apply these updates without delay to protect their systems from potential attacks.
As attackers continue to exploit this vulnerability, defenders should monitor network traffic for unusual activity, particularly attempts to access the REST WebServices component. Implementing additional security measures, such as network segmentation and enhanced monitoring, can help mitigate the risk until patches are fully deployed.
CSURFACE