Data Card
Oracle Identity Manager Zero-Day Actively Exploited (CVE-2025-61757)
A pre-authentication flaw in Oracle Identity Manager is being exploited for remote code execution, threatening downstream access governance across enterprises.
2025-11-24CC-BY-4.0identity-governancevulnerabilitycve-2025-61757
About
Key Facts
- Bug allows unauthenticated REST requests to invoke a Groovy script endpoint, leading to RCE.
- CVE-2025-61757 was patched in October 2025, but many deployments remain exposed.
- Compromise of identity governance tier can cascade to connected enterprise apps.
Card Text
Oracle Identity Manager installations are under active attack via CVE-2025-61757, a pre-auth flaw that lets remote actors trigger Groovy execution through a mis-filtered REST endpoint. Successful exploitation yields code execution on the identity tier that provisions access to downstream systems.
Oracle issued a fix in the October 2025 Critical Patch Update, but lagging patch adoption leaves many enterprises exposed. Security teams are urged to patch immediately and hunt for abuse across connected applications.