CVE-2025-61757 – This critical vulnerability in Oracle Identity ... (How to Fix)

Q: What is the severity of CVE-2025-61757?

CVE-2025-61757 has a CVSS score of 9.8 (CRITICAL). This critical vulnerability in Oracle Identity Manager allows unauthenticated attackers to remotely compromise the system via HTTP requests, leading to complete takeover. It affects Oracle Fusion Middleware Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0. Organizations using these versions are at immediate risk.

📋 TL;DR

This critical vulnerability in Oracle Identity Manager allows unauthenticated attackers to remotely compromise the system via HTTP requests, leading to complete takeover. It affects Oracle Fusion Middleware Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0. Organizations using these versions are at immediate risk.

💻 Affected Systems

Products:

Oracle Fusion Middleware Identity Manager

Versions: 12.2.1.4.0 and 14.1.2.1.0

Operating Systems: All supported platforms for Oracle Fusion Middleware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects REST WebServices component. All deployments with affected versions are vulnerable regardless of configuration.

📦 What is this software?

Identity Manager by Oracle

View all CVEs affecting Identity Manager →

Identity Manager by Oracle

View all CVEs affecting Identity Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Identity Manager allowing attacker to steal credentials, modify user permissions, disable authentication systems, and potentially pivot to other systems in the environment.

🟠

Likely Case

Attackers gain administrative access to Identity Manager, allowing them to create/delete users, modify permissions, and access sensitive identity data.

🟢

If Mitigated

With proper network segmentation and access controls, impact could be limited to the Identity Manager system itself, though credential theft would still be possible.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation via HTTP makes internet-facing systems extremely vulnerable to automated attacks.

🏢 Internal Only: HIGH - Even internally, any network-accessible instance can be exploited by compromised internal hosts or malicious insiders.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CVSS 9.8 indicates trivial exploitation. CISA has added to Known Exploited Vulnerabilities catalog, suggesting active exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply patches from Oracle Critical Patch Update October 2025

Vendor Advisory: https://www.oracle.com/security-alerts/cpuoct2025.html

Restart Required: Yes

Instructions:

1. Download appropriate patches from Oracle Support. 2. Apply patches following Oracle's patching procedures. 3. Restart affected services. 4. Verify patch application.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to Identity Manager REST endpoints to trusted IPs only

Use firewall rules to limit access to port 80/443 on Identity Manager servers

Web Application Firewall

all

Deploy WAF with rules to block suspicious REST API requests

🧯 If You Can't Patch

Isolate Identity Manager systems in separate network segment with strict access controls
Implement additional authentication layer (VPN, reverse proxy with authentication) before Identity Manager access

🔍 How to Verify

Check if Vulnerable:

Check Oracle Identity Manager version via administrative console or version files in installation directory

Check Version:

Check $ORACLE_HOME/inventory/ContentsXML/comps.xml for component versions

Verify Fix Applied:

Verify patch application through Oracle OPatch utility: opatch lsinventory

📡 Detection & Monitoring

Log Indicators:

Unusual REST API requests to Identity Manager endpoints
Authentication bypass attempts in access logs
Unexpected administrative actions in audit logs

Network Indicators:

Unusual HTTP traffic to /rest/* endpoints from unauthorized sources
Spike in REST API requests

SIEM Query:

source="identity-manager-logs" AND (uri_path="/rest/*" AND src_ip NOT IN allowed_ips)

📊 Metadata

CVE ID: CVE-2025-61757

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

EPSS Score: 82.16% exploit probability (99.2th percentile)

CISA KEV: Actively Exploited added Nov 21, 2025

Published: October 21, 2025

Last Updated: November 24, 2025

🔗 References

https://www.oracle.com/security-alerts/cpuoct2025.html Vendor Advisory
https://isc.sans.edu/diary/rss/32506 Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61757 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61757, you might also want to check these: