0-Click, 0-Auth, Full Control

Identity and Access Management (IAM) platforms are the gatekeepers of the modern enterprise. They are trusted to manage user credentials, enforce least privilege, and control who can access critical systems. When a flaw bypasses all authentication on an IAM platform, the fallout is devastating.

Security researchers and the CISA (Cybersecurity and Infrastructure Security Agency) are urgently warning organizations about CVE-2025-61757, a critical vulnerability in Oracle Fusion Middleware's Identity Manager that is under active exploitation. This is an immediate, high-priority threat because it allows an unauthenticated remote attacker to achieve Remote Code Execution (RCE) with a high degree of ease.

The Mechanism of the Bypass: The ?WSDL Trick

The vulnerability has a CVSS score of 9.8 (Critical) and is a perfect case study of how relying on fragile security filters can lead to a catastrophic compromise.

The flaw exists in the Identity Manager’s REST WebServices component and involves a missing authentication for a critical function.

The Filter Fault: Oracle Identity Manager uses a security filter to protect sensitive API endpoints, ensuring they can only be accessed after a user has successfully logged in. This filter is designed to check the Request URI against a list of known, protected paths.

The Bypass: Attackers discovered that by simply appending common, non-functional parameters—such as ;.wadl or ?WSDL—to the end of a protected URI, the weak filter is tricked into thinking the request is targeting an unauthenticated or publicly accessible route.

RCE Execution: With the security filter successfully bypassed, the attacker gains access to internal functionality, including endpoints used to compile code (specifically, Groovy code). By exploiting the nature of Groovy annotations, the attacker can execute arbitrary code on the underlying server, resulting in a full system takeover.

The Grave Consequences for IAM Systems

A successful exploit of CVE-2025-61757 is an immediate disaster for any organization running affected versions:

Full Identity Compromise: The attacker gains complete control of the Identity Manager—the central authority for user provisioning, de-provisioning, and privilege assignment.

Lateral Movement: The threat actor can then create new administrative accounts, manipulate existing user roles, and seamlessly move laterally across the entire network, accessing internal resources, applications, and core systems.

Persistent Backdoors: The ability to execute arbitrary code allows attackers to establish persistent backdoors and long-term espionage capabilities within the organization's most trusted security infrastructure.

Mandatory Remediation: Patching is Not Optional

CISA has added this flaw to its KEV Catalog, mandating remediation for U.S. Federal Civilian Executive Branch agencies by December 12, 2025. All other organizations must treat this as an immediate zero-day threat.

Vulnerable Versions:

Oracle Identity Manager 12.2.1.4.0

Oracle Identity Manager 14.1.2.1.0

Action:

Apply October 2025 Updates: Organizations must immediately apply the patches released in the Oracle Critical Patch Update (CPU) for October 2025.

Network Inspection: Review all traffic and logs related to the Identity Manager service for the specific URI bypass strings (e.g., ;.wadl or ?WSDL) in HTTP POST requests, which may indicate attempted or successful exploitation.

Segmentation: Ensure the Oracle Identity Manager environment is strictly segmented from other critical systems to limit the blast radius if the initial compromise was successful.

Conclusion

The simplicity of the bypass combined with the critical nature of the compromised system makes CVE-2025-61757 one of the most dangerous vulnerabilities of the month. Identity is the new perimeter, and when the perimeter itself is breached without a password, the entire network is exposed. Patching must be your top priority.

👍 Like (0)