Researchers published a technical analysis of a critical Oracle Identity Manager (OIM) vulnerability Thursday, which could allow an attacker to achieve remote code execution (RCE) without authentication and may have been exploited as a zero-day.The vulnerability, tracked as CVE-2025-61757, was originally disclosed and patched by Oracle on Oct. 21, 2025, and assigned a critical CVSS score of 9.8.The flaw was discovered by Searchlight Cyber researchers Adam Kues and Shubham Shah who published their technical analysis and proof-of-concept (PoC) exploit for the flaw on Nov. 20, 2025.This analysis revealed how an attacker could bypass authentication measures in OIM using a crafted URL ending in “;.wadl,” as OIM’s security filter does not require authentication for route ending with .wadl.
An unauthenticated user could then target the groovyscriptstatus endpoint, which compiles Groovy script but does not execute it, as the researchers found they could leverage Java’s annotation processor to write Groovy annotations that were executed at compile time.Searchlight Cyber noted that this flaw is “easily exploitable by threat actors” and poses a significant risk to the hundreds of enterprises that use OIM for identity and credentials management.
Possible exploit attempts prior to disclosure
Following Searchlight’s analysis, SANS Internet Storm Center (ISC) Founder Johannes Ullrich said in a post that the vulnerable endpoint used for Searchlight’s PoC exploit was accessed multiple times between Aug. 30 and Sept. 9, 2025.Ullrich wrote that the URL was scanned by three IP addresses using the same user agent, and that the same IP addresses had also been used to target URLs associated with other vulnerabilities, including Liferay CVE-2025-4581 and Log4j.“The activity looked more like it came from attackers [than researchers] as the same IP addresses scanned for other vulnerabilities as well, not just the Oracle issue,” Ullrich told SC Media.SC Media reached out to Searchlight Cyber to ask whether this exploit activity came from their researchers but was not able to receive a response before publishing time.
Customers urged to patch as soon as possible
CVE-2025-61757 affects Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.10. Patch details and documentation are provided in Oracle’s Critical Patch Update Advisory for October 2025, which addressed a total of 374 security patches across Oracle’s product families.“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible,” the advisory stated.Exploitation of CVE-2025-61757 poses a high risk to confidentiality, integrity and availability and “can result in takeover of Identity Manager,” according to its CVE description.The disclosure of this critical flaw comes after ransomware attacks targeting an Oracle zero-day, CVE-2025-61882 in Oracle E-Business Suite (EBS), claimed several victims including The Washington Post. Oracle also faced claims earlier this year that records from millions of accounts were stolen from its systems, spurring an advisory from the Cybersecurity and Infrastructure Security Agency (CISA) for customers to tighten security on their Oracle Cloud deployments, although Oracle denied any breach Oracle Cloud.
