{"id":5919,"date":"2025-11-24T11:28:01","date_gmt":"2025-11-24T11:28:01","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5919"},"modified":"2025-11-24T11:28:01","modified_gmt":"2025-11-24T11:28:01","slug":"oracle-oim-zero%e2%80%91day-pre%e2%80%91auth-rce-forces-rapid-patching-across-enterprises","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5919","title":{"rendered":"Oracle OIM zero\u2011day: Pre\u2011auth RCE forces rapid patching across enterprises"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>The Cybersecurity and Infrastructure Security Agency (CISA) has flagged a pre-authenticated, critical remote code execution flaw in Oracle Identity Manager (OIM), noting that it has been actively exploited, and added it to its Known Exploited Vulnerabilities (KEV) catalog.<\/p>\n<p>The flaw was first identified by Searchlight Cyber, which found it capable of allowing complete authentication bypass, enabling RCE through the abuse of a Groovy-script compile endpoint.<\/p>\n<p>\u201cTaking a closer look at the software running on Oracle Cloud\u2019s login host and our customers\u2019 attack surfaces, we discovered a pre-authentication RCE vulnerability in Oracle Identity Manager,\u201d Searchlight researchers Adam Kues and Shubham Shah said in a blog post. \u201cThis pre-authentication RCE we found would also have been able to breach login.us2.oraclecloud.com, as it was running both OAM and OIM.\u201d<\/p>\n<p>The now-fixed bug may have potentially exposed hundreds of enterprise and government entities that rely on Oracle\u2019s Identity Management software for user-credential and identity security, researchers added.<\/p>\n<p>Oracle shipped a fix for the flaw in its October 2025 Critical Patch Update (CPU), which federal civilian agencies can apply immediately to meet CISA\u2019s <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2025\/11\/21\/cisa-adds-one-known-exploited-vulnerability-catalog\" target=\"_blank\" rel=\"noopener\">deadline<\/a> of December 12, 2025.<\/p>\n<h2 class=\"wp-block-heading\">Flawed authentication filter allows bypass<\/h2>\n<p>The vulnerability in OIM stems from an authentication-filter implementation that uses a whitelist of URL patterns\u2013a known error-prone design.<\/p>\n<p>Researchers found that appending query strings like \u201c?WSDL\u201d or path parameters like \u201c;.wadl\u201d to protected endpoints ( like \u201c\/iam\/governance\/applicationmanagement\/templates;.wadl\u201d), would cause \u201cSecurityFilter\u201d in OIM\u2019s web.xml to treat the route as \u201cunauthenticated\u201d\u2014meaning that it requires no authentication.<\/p>\n<p>Once past the filter, an attacker can reach the REST endpoint \u201c\/application\/groovyscriptstatus\u201d meant for syntax-checking Groovy code, not executing it. However, due to Groovy\u2019s annotation processing, researchers demonstrated the ability to inject compile-time code that triggers outbound callbacks and code execution.<\/p>\n<p>The flaw, tracked under <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-61757\" target=\"_blank\" rel=\"noopener\">CVE-2025-61757<\/a>, received a critical severity rating of 9.8 out of 10, due to the ease of exploitability and presumably the existence of a <a href=\"https:\/\/www.csoonline.com\/article\/4031603\/32-of-exploited-vulnerabilities-are-now-zero-days-or-1-days.html\">zero-day abuse<\/a>. \u201cGiven the complexity of some previous Oracle Access Manager vulnerabilities, this one is somewhat trivial and easily exploitable by threat actors,\u201d researchers noted.<\/p>\n<h2 class=\"wp-block-heading\">The patching urgency<\/h2>\n<p>In its CPU <a href=\"https:\/\/www.oracle.com\/security-alerts\/cpuoct2025.html\">advisory<\/a>, Oracle addressed this flaw along with hundreds of others across its portfolio. Researchers call it a common Java filter flaw, which makes it a known territory for attackers.<\/p>\n<p>\u201cThe vulnerability our team discovered follows a familiar pattern in Java: filters designed to restrict authentication often contain easy-to-exploit authentication bypass flaws,\u201d they <a href=\"https:\/\/slcyber.io\/research-center\/breaking-oracles-identity-manager-pre-auth-rce\/\">said<\/a>. \u201cLogical flaws in how Java interprets request URIs are a gift that continues giving when paired with matrix parameters.\u201d<\/p>\n<p>In this case, the flaw affects OIM versions 12.2.1.4.0 and 14.1.2.1.0. According to Johannes Ullrich, Dean of Research for SANS Technology Institute, the proof-of-concept (POC) URL provided by Searchlight Cyber Research was accessed \u201cseveral times between August 30th and September 9th\u201d this year.<\/p>\n<p>Attacker IP addresses <a href=\"https:\/\/isc.sans.edu\/diary\/rss\/32506\" target=\"_blank\" rel=\"noopener\">shared<\/a> by Ullrich include 89.238.132.76, 185.245.82.81, and 138.199.29.153. Searchlight researchers noted that participating in capture-the-flag (<a href=\"https:\/\/www.csoonline.com\/article\/552669\/ctf-players-versus-professional-penetration-testers.html\">CTF<\/a>) style work and probing compile-time or annotation chains continues to yield fresh RCEs.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The Cybersecurity and Infrastructure Security Agency (CISA) has flagged a pre-authenticated, critical remote code execution flaw in Oracle Identity Manager (OIM), noting that it has been actively exploited, and added it to its Known Exploited Vulnerabilities (KEV) catalog. The flaw was first identified by Searchlight Cyber, which found it capable of allowing complete authentication bypass, [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5920,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5919","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5919"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5919"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5919\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5920"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5919"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5919"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5919"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}