CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Oracle Identity Manager RCE Flaw CVE-2025-61757 Exploited in Attacks

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

CISA has warned that a pre-authentication remote code execution (RCE) flaw in Oracle Identity Manager, tracked as CVE-2025-61757, is being actively exploited in attacks. The vulnerability stems from an authentication bypass in the REST APIs, allowing attackers to execute malicious code. The flaw was patched by Oracle in October 2025, but evidence suggests it may have been exploited as early as August 30. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch it by December 12. Researchers from Searchlight Cyber discovered the flaw, describing it as trivial and easily exploitable. Multiple IP addresses have been observed scanning for the vulnerability, all using the same user agent. The flaw involves gaining access to a Groovy script compilation endpoint to execute malicious code. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Identity Manager. Attackers can manipulate authentication flows, escalate privileges, and move laterally across an organization's core systems. The IP addresses 89.238.132[.]76, 185.245.82[.]81, and 138.199.29[.]153 were observed scanning for the vulnerability. The flaw was revealed by Searchlight Cyber on November 20 and added to CISA's KEV catalog on November 21. The vulnerability lies in the REST WebServices component of Oracle Identity Manager and has a CVSS severity score of 9.8. The flaw was discovered during an investigation of a breach affecting Oracle Cloud's login service, where a threat actor exploited an older vulnerability, CVE-2021-35587.

Timeline

  1. 22.11.2025 01:50 3 articles · 3d ago

    Oracle Identity Manager RCE Flaw CVE-2025-61757 Exploited in Attacks

    CISA has warned that the Oracle Identity Manager RCE flaw, CVE-2025-61757, is being actively exploited in attacks. The vulnerability was patched by Oracle in October 2025, but evidence suggests it may have been exploited as early as August 30. CISA has added the flaw to its KEV catalog, mandating federal agencies to patch it by December 12. Researchers have described the flaw as trivial and easily exploitable, with multiple IP addresses observed scanning for it, all using the same user agent. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Identity Manager. Attackers can manipulate authentication flows, escalate privileges, and move laterally across an organization's core systems. The IP addresses 89.238.132[.]76, 185.245.82[.]81, and 138.199.29[.]153 were observed scanning for the vulnerability. The flaw was revealed by Searchlight Cyber on November 20 and added to CISA's KEV catalog on November 21. The vulnerability lies in the REST WebServices component of Oracle Identity Manager and has a CVSS severity score of 9.8. The flaw was discovered during an investigation of a breach affecting Oracle Cloud's login service, where a threat actor exploited an older vulnerability, CVE-2021-35587.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution. Recently, threat actors have been exploiting CVE-2025-59287 to distribute ShadowPad malware, a modular backdoor used by Chinese state-sponsored hacking groups. Attackers used PowerCat, certutil, and curl to obtain a system shell and download ShadowPad. The malware is launched via DLL side-loading and comes with anti-detection and persistence techniques.

Open in new tab

Five Vulnerabilities Added to CISA's Known Exploited Vulnerabilities Catalog

Five new vulnerabilities have been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog. These include a server-side request forgery (SSRF) flaw in Oracle E-Business Suite (EBS) and four other vulnerabilities affecting Microsoft Windows SMB Client, Kentico Xperience CMS, and Apple's JavaScriptCore. The SSRF vulnerability in Oracle EBS has been actively exploited in real-world attacks. The vulnerabilities affect widely used software and have varying CVSS scores, indicating different levels of severity. Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities by November 10, 2025, to protect against active threats.

Open in new tab

Active Exploitation of Critical Adobe AEM Forms Misconfiguration

A critical misconfiguration flaw in Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier is under active exploitation. The flaw, CVE-2025-54253, allows arbitrary code execution via an exposed servlet. Adobe released a patch in August 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must apply the necessary fixes by November 5, 2025. The flaw was discovered by Adam Kues and Shubham Shah of Searchlight Cyber, who disclosed it to Adobe on April 28, 2025. The flaw is caused by an exposed /adminui/debug servlet that evaluates user-supplied OGNL expressions as Java code without authentication or input validation. This enables attackers to execute arbitrary system commands with a single crafted HTTP request. A proof-of-concept exploit is publicly available.

Open in new tab

Unauthenticated access vulnerability in Oracle E-Business Suite Configurator

A critical vulnerability in Oracle E-Business Suite (EBS) allows unauthenticated attackers to access sensitive data via HTTP. The flaw, CVE-2025-61884, affects versions 12.2.3 through 12.2.14 and has a CVSS score of 7.5. CISA has confirmed that the vulnerability is being exploited in attacks and has added it to its Known Exploited Vulnerabilities catalog. Oracle has issued an emergency security update and patch, but exploitation in the wild has been reported. The vulnerability is in the Runtime UI component and could lead to unauthorized access to critical data. Oracle has silently fixed the vulnerability after it was actively exploited and a proof-of-concept exploit was leaked by the ShinyHunters extortion group. This development follows recent disclosures of zero-day exploitation in EBS software, attributed to a group with ties to the Clop ransomware group. The Clop group has been involved in major data theft campaigns targeting zero-days in Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer.

Open in new tab

Active Exploitation of Multiple Critical Vulnerabilities in Gladinet and TrioFox

Active exploitation of critical vulnerabilities in Gladinet's CentreStack and TrioFox products continues. The zero-day vulnerability, CVE-2025-11371, is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. This flaw affects all versions prior to and including 16.7.10368.56560. The vulnerability has been exploited to retrieve the machine key from the application Web.config file, enabling remote code execution via a ViewState deserialization vulnerability. Three customers have been impacted so far. A patch for the zero-day vulnerability CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683. Users are advised to upgrade to this version or, if upgrading is not possible, disable the "temp" handler within the Web.config file for UploadDownloadProxy to mitigate the risk. The vendor, Gladinet, has been notified and is working on a fix. The vulnerability was detected by researchers at Huntress on September 27, 2025. The flaw was exploited to obtain a machine key and execute code remotely. The attack used an older deserialization vulnerability (CVE-2025-30406) to achieve remote code execution (RCE) through ViewState. The mitigations will impact some functionality of the platform but prevent exploitation of CVE-2025-11371. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-11371 to its Known Exploited Vulnerabilities (KEV) catalog on November 5, 2025, citing evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by November 25, 2025, to secure their networks. Additionally, a new critical vulnerability, CVE-2025-12480 (CVSS score: 9.8), has been discovered in Gladinet's Triofox file-sharing and remote access platform. This flaw allows attackers to bypass authentication and access configuration pages, resulting in the upload and execution of arbitrary payloads. The threat cluster tracked as UNC6485 has been exploiting this flaw since August 24, 2025. The attackers have used the built-in antivirus feature to execute malicious files and set up encrypted tunnels to command-and-control servers, leveraging remote access tools like Zoho Assist and AnyDesk for further exploitation. The vulnerability CVE-2025-12480 was discovered and reported by Mandiant on November 10. The flaw allows an attacker to gain access to initial setup pages even after setup is complete, enabling the upload and execution of arbitrary payloads. The exploitation campaign started on August 14, 2025. The attackers exploited an HTTP Host header vulnerability by spoofing localhost in requests, bypassing access controls to reach the normally restricted AdminDatabase.aspx setup page. The flaw stemmed from missing origin validation and over-reliance on the host header, allowing unauthenticated remote access to critical configuration pages. The attackers logged in using the newly created Admin account and uploaded malicious files to execute them using the built-in anti-virus feature.

Open in new tab