CVE-2025-61757: Critical Pre-Auth RCE in Oracle Identity Manager
A newly disclosed vulnerability, CVE-2025-61757, exposes Oracle Identity Manager (OIM) to unauthenticated remote code execution (RCE). The flaw affects OIM versions 12.2.1.4.0 and 14.1.2.1.0 and carries a CVSS 9.8 Critical rating. CISA has added it to the Known Exploited Vulnerabilities (KEV) catalog — meaning active exploitation is confirmed.
What Makes This CVE So Dangerous
Researchers discovered that OIM’s SecurityFilter — responsible for enforcing authentication on REST WebServices — can be bypassed by appending specific suffixes.
This misclassification exposes protected endpoints, including the Groovy script compilation API. Although this endpoint only “checks” scripts, Groovy annotations can execute code during compilation, giving attackers a reliable path to RCE without credentials.
Attack chain:
Authentication bypass → Access to Groovy compile endpoint → Malicious annotation → Compile-time RCE
Because OIM governs user identities, roles, and provisioning across enterprise systems, compromise can lead to:
- Unauthorized account creation
- Privilege escalation
- Full takeover of identity workflows
- Cross-system lateral movement
Required Actions
1. Patch Immediately
Oracle issued a fix in the October 2025 Critical Patch Update.
2. Apply Temporary Mitigations (If Patch Is Delayed)
- Restrict external access to OIM REST WebServices
- Block suspicious suffixes (
?WSDL,;.wadl) via WAF - Limit access to trusted administrative networks
3. Investigate for Exploitation Attempts
Look for:
- Requests to protected endpoints using the bypass patterns
- POST requests to
groovyscriptstatus - Unexpected outbound connections originating from the OIM server
If detected, initiate incident response and consider the host compromised.
How IONIX Helps
IONIX’s External Exposure Management Platform is built specifically for threats like CVE-2025-61757. When this CVE was published, IONIX automatically identified which customer assets were running vulnerable and externally reachable OIM services, and immediately notified impacted customers.
Most importantly: IONIX actively validates exploitability. We don’t stop at “you might be vulnerable.”
For CVE-2025-61757, IONIX ran safe, non-intrusive exploitability tests to confirm whether the vulnerable Groovy compilation endpoint was externally reachable and exploitable.
Customers received:
- Confirmed Findings where exploitability was validated
- Potentially Affected Assets where OIM was detected but not exposed
- Clear remediation instructions and prioritization guidance
This validation-first approach ensures teams focus on actual risk, not theoretical possibilities.
Conclusion
CVE-2025-61757 provides attackers a pre-auth path directly into enterprise identity infrastructure — and active exploitation is already underway.
Organizations must patch urgently, monitor carefully, and ensure OIM is not externally exposed.
IONIX customers were automatically alerted, provided exploitability confirmation, and guided through mitigation steps — demonstrating why validation-driven external exposure management is essential for modern defense.
