The Cybersecurity and Infrastructure Security Agency (CISA) has flagged a pre-authenticated, critical remote code execution flaw in Oracle Identity Manager (OIM), noting that it has been actively exploited, and added it to its Known Exploited Vulnerabilities (KEV) catalog.
The flaw was first identified by Searchlight Cyber, which found it capable of allowing complete authentication bypass, enabling RCE through the abuse of a Groovy-script compile endpoint.
“Taking a closer look at the software running on Oracle Cloud’s login host and our customers’ attack surfaces, we discovered a pre-authentication RCE vulnerability in Oracle Identity Manager,” Searchlight researchers Adam Kues and Shubham Shah said in a blog post. “This pre-authentication RCE we found would also have been able to breach login.us2.oraclecloud.com, as it was running both OAM and OIM.”
The now-fixed bug may have potentially exposed hundreds of enterprise and government entities that rely on Oracle’s Identity Management software for user-credential and identity security, researchers added.
Oracle shipped a fix for the flaw in its October 2025 Critical Patch Update (CPU), which federal civilian agencies can apply immediately to meet CISA’s deadline of December 12, 2025.
Flawed authentication filter allows bypass
The vulnerability in OIM stems from an authentication-filter implementation that uses a whitelist of URL patterns–a known error-prone design.
Researchers found that appending query strings like “?WSDL” or path parameters like “;.wadl” to protected endpoints ( like “/iam/governance/applicationmanagement/templates;.wadl”), would cause “SecurityFilter” in OIM’s web.xml to treat the route as “unauthenticated”—meaning that it requires no authentication.
Once past the filter, an attacker can reach the REST endpoint “/application/groovyscriptstatus” meant for syntax-checking Groovy code, not executing it. However, due to Groovy’s annotation processing, researchers demonstrated the ability to inject compile-time code that triggers outbound callbacks and code execution.
The flaw, tracked under CVE-2025-61757, received a critical severity rating of 9.8 out of 10, due to the ease of exploitability and presumably the existence of a zero-day abuse. “Given the complexity of some previous Oracle Access Manager vulnerabilities, this one is somewhat trivial and easily exploitable by threat actors,” researchers noted.
The patching urgency
In its CPU advisory, Oracle addressed this flaw along with hundreds of others across its portfolio. Researchers call it a common Java filter flaw, which makes it a known territory for attackers.
“The vulnerability our team discovered follows a familiar pattern in Java: filters designed to restrict authentication often contain easy-to-exploit authentication bypass flaws,” they said. “Logical flaws in how Java interprets request URIs are a gift that continues giving when paired with matrix parameters.”
In this case, the flaw affects OIM versions 12.2.1.4.0 and 14.1.2.1.0. According to Johannes Ullrich, Dean of Research for SANS Technology Institute, the proof-of-concept (POC) URL provided by Searchlight Cyber Research was accessed “several times between August 30th and September 9th” this year.
Attacker IP addresses shared by Ullrich include 89.238.132.76, 185.245.82.81, and 138.199.29.153. Searchlight researchers noted that participating in capture-the-flag (CTF) style work and probing compile-time or annotation chains continues to yield fresh RCEs.
No Responses