CISA Flags Critical Oracle Identity Manager Zero-Day as Actively Exploited
Executive Summary
In June 2025, a critical zero-day vulnerability (CVE-2025-61757) affecting Oracle Identity Manager was added to CISA’s Known Exploited Vulnerabilities catalog, following credible reports of active exploitation. Attackers leveraged a missing authentication flaw in a critical function, allowing remote, pre-authenticated access and full compromise of affected systems. Organizations using Oracle Identity Manager faced a risk of unauthorized access, credential theft, and lateral movement, with potential for widespread service disruption and data exfiltration across enterprise networks. Remediation required rapid deployment of patches and security controls to prevent further breaches.
This incident underscores the rising impact of identity-driven attack vectors targeting core authentication systems, with adversaries increasingly exploiting zero-day flaws in widely-used identity platforms. The exploitation highlights an urgent need for strengthened identity protection, patch management, and zero-trust segmentation as attackers target the intersection of critical infrastructure and identity orchestration.
Why This Matters Now
CISA’s alert on CVE-2025-61757 signals an immediate, high-priority threat as nation-state and criminal actors actively exploit a critical Oracle Identity Manager zero-day. Unremediated systems could lead to rapid compromise of identities and enterprise access, making swift patching and zero-trust practices urgent for any organization relying on Oracle's identity technologies.
Attack Path Analysis
Attackers exploited a pre-authentication zero-day (CVE-2025-61757) in Oracle Identity Manager to gain initial access. Leveraging privileged functions, they escalated permissions or assumed powerful roles. Lateral movement occurred as access allowed pivoting to other applications or services using internal east-west connectivity. Command and control was established via outbound connections to attacker infrastructure, potentially over encrypted or less-monitored channels. Sensitive data was exfiltrated through unauthorized outbound transfers, while threats such as account lockout, privilege removal, or service disruption established impact.
Kill Chain Progression
Initial Compromise
Description
Adversary exploited a missing authentication vulnerability (CVE-2025-61757) in Oracle Identity Manager to gain unauthorized pre-auth access.
Related CVEs
CVE-2025-61757
CVSS 9.8A missing authentication vulnerability in Oracle Identity Manager's REST WebServices component allows unauthenticated attackers to take over the system.
Affected Products:
Oracle Identity Manager – 12.2.1.4.0, 14.1.2.1.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
External Remote Services
Valid Accounts: Default Accounts
Abuse Elevation Control Mechanism: Bypass User Account Control
Modify Authentication Process: Pluggable Authentication Modules
Command and Scripting Interpreter
Account Discovery
Phishing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication for Application Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – Identity and Access Management Controls
Control ID: Identity Pillar: Authentication
NIS2 Directive – Technical and Organizational Measures
Control ID: Art. 21(2)(a)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Critical Oracle Identity Manager zero-day exploitation threatens banking authentication systems, requiring immediate Zero Trust segmentation and encrypted traffic controls per regulatory compliance.
Health Care / Life Sciences
Pre-authenticated Oracle vulnerability exposes patient identity systems to lateral movement attacks, demanding enhanced east-west traffic security and HIPAA compliance enforcement measures.
Government Administration
Active exploitation of Oracle Identity Manager creates severe government authentication bypass risks, necessitating immediate threat detection and multicloud visibility implementations for security.
Information Technology/IT
CISA-cataloged Oracle zero-day vulnerability impacts IT infrastructure providers managing identity systems, requiring enhanced egress security and inline intrusion prevention system deployments.
Sources
- CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerabilityhttps://thehackernews.com/2025/11/cisa-warns-of-actively-exploited.htmlVerified
- CISA Adds One Known Exploited Vulnerability, CVE-2025-61757, to Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61757Verified
- Oracle Critical Patch Update Advisory - October 2025https://www.oracle.com/security-alerts/cpuoct2025.htmlVerified
- NVD - CVE-2025-61757https://nvd.nist.gov/vuln/detail/CVE-2025-61757Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
CNSF capabilities such as zero trust segmentation, inline IPS, egress security enforcement, and east-west traffic controls would have detected or curtailed attacker movement after exploitation, limited unauthorized lateral movement, prevented unmonitored outbound communications, and blocked data exfiltration—even if the initial zero-day exploit succeeded.
Control: Inline IPS (Suricata)
Mitigation: Attack signatures and protocol anomalies flagged exploit attempts for real-time detection and potential blocking.
Control: Zero Trust Segmentation
Mitigation: Network policies enforced least-privilege isolation, restricting account abuse to only necessary resources.
Control: East-West Traffic Security
Mitigation: Lateral movement attempts triggered anomaly detection and were blocked at internal control points.
Control: Egress Security & Policy Enforcement
Mitigation: Non-approved outbound C2 attempts were blocked or logged for rapid incident response.
Control: Egress Security & Policy Enforcement
Mitigation: Sensitive data transfers to unapproved destinations were blocked or detected.
Anomalous destructive behavior was detected promptly, enabling containment.
Impact at a Glance
Affected Business Functions
- Identity Management
- Access Control
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive user credentials and personal information due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation to ensure least-privilege network and identity access across all cloud workloads.
- • Deploy inline IPS to detect and flag pre-authentication exploit attempts targeting critical applications such as Oracle Identity Manager.
- • Apply strict east-west traffic policies to contain adversaries and prevent unauthorized lateral movement within the cloud environment.
- • Implement robust egress controls, including FQDN and application-layer filtering, to block C2 and exfiltration channels.
- • Monitor for behavioral and anomaly signals with real-time incident response workflows to rapidly detect and mitigate ongoing threats.
