Oracle Identity Manager 2025: CVE-2025-61757 Authentication Bypass Exposed
Executive Summary
In September 2025, multiple attacks targeted Oracle Identity Manager (OIM) instances by exploiting a critical authentication bypass vulnerability (CVE-2025-61757). The flaw, discovered by Searchlight Cyber and addressed in Oracle's October 21, 2025 Critical Patch Update, allows threat actors to append ';.wadl' to a URL, accessing privileged functionality without authentication. Logs show attackers conducted scans and POST requests using a consistent user-agent from diverse IPs before an official patch was released, evidencing rapid exploit development and the risk of remote code execution.
This incident highlights the increasing threat posed by trivial, mass-scannable web application flaws in identity platforms and the speed at which adversaries weaponize new zero-day vulnerabilities. Cybersecurity teams must prioritize rapid patching and detection of unusual authentication exemption patterns to reduce critical risk exposure.
Why This Matters Now
CVE-2025-61757 represents an emerging threat where simple authentication bypass techniques enable high-impact exploitation in widely used identity management systems. Its ease of use, active scanning prior to patch release, and potential for automation underscore the urgent need for enhanced web application security controls and accelerated patch cycles.
Attack Path Analysis
The attack began with exploitation of CVE-2025-61757 to gain unauthenticated access to Oracle Identity Manager URLs, followed by uploading or executing malicious payloads to obtain higher privileges. The adversary likely attempted to traverse internal services, seeking additional systems or data using lateral movement. They established command and control channels via POST requests to manage remote access. Subsequently, data exfiltration or further payload delivery may have occurred. The attack culminated in potential business impact such as unauthorized access, data theft, or remote code execution, threatening the integrity and availability of critical systems.
Kill Chain Progression
Initial Compromise
Description
Attacker exploited unauthenticated '.wadl' endpoint in Oracle Identity Manager (CVE-2025-61757) by sending crafted POST requests to gain access.
Related CVEs
CVE-2025-61757
CVSS 9.8An authentication bypass vulnerability in Oracle Identity Manager's REST WebServices component allows unauthenticated remote attackers to execute arbitrary code, potentially leading to full system compromise.
Affected Products:
Oracle Identity Manager – 12.2.1.4.0, 14.1.2.1.0
Exploit Status:
exploited in the wildCVE-2025-4581
CVSS 8.6A pre-authentication blind SSRF vulnerability in Liferay Portal's OpenSSO Authentication Settings allows remote attackers to make arbitrary HTTP requests to internal systems, potentially leading to internal network enumeration or further exploitation.
Affected Products:
Liferay Portal – 7.4.0 through 7.4.3.132
Liferay DXP – 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Server Software Component: Web Application
Application Layer Protocol: Web Protocols
Network Sniffing
Command and Scripting Interpreter
Exploitation of Remote Services
Phishing
Impair Defenses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security Vulnerability Management
Control ID: 6.4.2
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05
DORA – ICT Risk Management
Control ID: Article 6(2)
CISA Zero Trust Maturity Model 2.0 – Application Security Controls
Control ID: Pillar: Applications, Maturity Level: Initial/Traditional
NIS2 Directive – Incident Prevention, Detection, and Response
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Oracle Identity Manager exploits enable authentication bypass in banking systems, threatening customer data protection and regulatory compliance requirements like PCI-DSS.
Health Care / Life Sciences
Identity management vulnerabilities expose patient records and medical systems to unauthorized access, violating HIPAA compliance and enabling lateral movement attacks.
Government Administration
Web application exploitation of identity systems compromises citizen data access controls and government service authentication, requiring immediate zero trust implementation.
Higher Education/Acadamia
Oracle IAM vulnerabilities allow unauthorized access to student records and research data through authentication bypass, compromising institutional security posture.
Sources
- Oracle Identity Manager Exploit Observation from September (CVE-2025-61757), (Thu, Nov 20th)https://isc.sans.edu/diary/rss/32506Verified
- Oracle Critical Patch Update Advisory - October 2025https://www.oracle.com/security-alerts/cpuoct2025.htmlVerified
- CISA Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61757Verified
- CVE-2025-61757: Oracle Identity Manager Pre-Auth RCE Under Active Attackhttps://hivepro.com/threat-advisory/cve-2025-61757-oracle-identity-manager-pre-auth-rce-under-active-attack/Verified
- CVE-2025-4581: Liferay Portal Blind SSRF Vulnerabilityhttps://cvefeed.io/vuln/detail/CVE-2025-4581Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
CNSF zero trust segmentation, egress policy enforcement, east-west traffic security, and threat detection controls would have contained the exploit, restricted lateral movement, and exposed anomalous behavior from the attacker, greatly reducing blast radius and impeding adversary actions across the kill chain.
Control: Inline IPS (Suricata)
Mitigation: Prevents known web exploits from reaching vulnerable services.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Detects and alerts on privilege escalation and unexpected behavior.
Control: Zero Trust Segmentation
Mitigation: Blocks unauthorized east-west movement within the cloud network.
Control: Threat Detection & Anomaly Response
Mitigation: Alerts on suspicious outbound connections and remote access tools.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unauthorized data exfiltration to external destinations.
Detects and enables rapid response to suspicious actions that threaten integrity or availability.
Impact at a Glance
Affected Business Functions
- Identity Management
- Access Control
- User Provisioning
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive identity and access management data, including user credentials and access rights.
Recommended Actions
Key Takeaways & Next Steps
- • Implement inline intrusion prevention (IPS) at all cloud ingress points to block known exploit attempts such as CVE-2025-61757.
- • Enforce zero trust segmentation and microsegmentation to curtail lateral movement from compromised workloads.
- • Apply granular egress and outbound policy enforcement to prevent data exfiltration and suspicious external communications.
- • Enable anomaly-based threat detection and active response measures to alert on unexpected privilege escalation and remote connections.
- • Centralize network and security visibility across cloud environments to rapidly detect, investigate, and respond to emerging threats.
