LR pixel

Oracle Identity Manager Pre-Auth RCE

von | 3. Dez. 2025 | Unkategorisiert | 0 Kommentare

What is the Vulnerability?

CVE-2025-61757 is a critical pre-authentication remote code execution vulnerability in Oracle Identity Manager’s REST WebServices. This vulnerability allows an unauthenticated attacker to exploit URI and matrix parameter parsing weaknesses to bypass authentication and execute arbitrary code over HTTP.

Successful exploitation results in full compromise of Identity Manager servers- enabling attackers to steal credentials, escalate privilege across connected systems, move laterally within the infrastructure, and persist undetected. As Identity Manager is a core identity and access control system, the downstream impact is severe, including potential domain or cloud takeover.

This vulnerability has been assigned a CVSS 9.8 (Critical) rating and is considered easily exploitable. The U.S. CISA has added the associated CVE to its Known Exploited Vulnerabilities (KEV) catalog, indicating active or imminent exploitation in the wild.

What is the recommended Mitigation?

  • Apply Oracle’s October 2025 Critical Patch Update for CVE-2025-61757 immediately

    .

    This patch directly addresses the authentication bypass and pre-auth RCE path for affected Oracle Identity Manager/Identity Governance REST WebServices:

    12.2.1.4.0

    14.1.2.1.0

  • Restrict network access to OIM/OIG management endpoints- block direct exposure to the internet and allow access only from trusted administrative networks.

  • Monitor and control outbound connections from Identity Manager servers:

    • Watch for unexpected callbacks, external network beacons, or suspicious DNS resolutions.

    • Implement egress allowlists for management servers to prevent command-and-control style communications.

    • If a compromise is suspected, rotate service accounts and identity-related credentials.

What FortiGuard Coverage is available?

  • FortiGuard Web Filtering Service protects against malicious URLs, domains, IPs, and other attacker-controlled infrastructure associated with this campaign.

  • FortiAnalyzer, FortiSIEM, and FortiSOAR leverage known Indicators of Compromise (IoCs) delivered through the Indicators of Compromise (IoC) Service to enhance threat hunting, detection, and automated response, strengthening investigation workflows and correlation against related threat activity. FortiGuard Labs continues to monitor for newly emerging IoCs to ensure proactive protection.

  • Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.