Cybersecurity researchers have discovered a critical flaw in Oracle’s Identity Manager that allows unauthenticated remote code execution. The CISA has ordered U.S. federal agencies to patch this actively exploited vulnerability within three weeks.

The security vulnerability, which is tracked as CVE-2025-61757, is a remote code execution flaw in the Identity Manager tool for Oracle Fusion Middleware. It could allow an unauthenticated hacker with network access to compromise Oracle’s Identity Manager and gain a complete takeover of the system. This flaw carries a CVSS score of 9.8, and it’s exploitable without credentials.

According to Searchlight Cyber researchers, Oracle Cloud’s login service was breached in January, which affected ~6 million records and 140,000 tenants. The attack used a different vulnerability, which is tracked as CVE‑2021‑35587. The researchers analyzed the components of that compromised host and discovered an unauthenticated remote code execution (RCE) CVE‑2025‑61757 flaw in Oracle Identity Manager (OIM).

How do attackers exploit the flaw?

The attack is based on two key techniques, including the authentication bypass. Oracle Identity Manager uses a security filter to allow unauthenticated access to documentation endpoints like ?WSDL or ;.wadl. Attackers exploited this by appending ;.wadl as a matrix parameter to sensitive REST API paths, which tricks the filter into skipping authentication checks. This gave them access to privileged endpoints without credentials.

Once inside, the hackers targeted the Groovy script compilation feature. While scripts weren’t executed immediately, Groovy supports annotations like @ASTTest that run during compilation. The attackers embedded malicious code in these annotations to achieve remote code execution at compile time, which turned a documentation loophole into a full system compromise.

The CISA has added this security vulnerability to its Known Exploited Vulnerabilities catalog. The agency has found that this flaw has been exploited in the wild since late August and mandated that federal agencies apply the patches by December 12, 2025.

Steps organizations should take to protect themselves

Organizations should immediately apply Oracle’s October 2025 Critical Patch Update to address this vulnerability. Moreover, they should audit all exposed Oracle Identity Manager endpoints to ensure no undocumented or legacy interfaces are accessible from the internet. Administrators must restrict access to administrative APIs behind strong authentication and network segmentation.

It’s highly recommended to ensure continuous monitoring for unusual requests to detect exploitation attempts early. IT admins should also implement a robust patch management process and consider web application firewalls to block suspicious URL patterns.