Oracle Identity Manager - Authentication Bypass (CVE-2025-61757)

CVE-2025-61757 is a critical vulnerability in Oracle Fusion Middleware's Identity Manager REST WebServices component, affecting versions 12.2.1.4.0 and 14.1.2.1.0. This flaw allows unauthenticated attackers with network access via HTTP to easily compromise the Identity Manager, potentially resulting in a complete system takeover. Exploitation could lead to severe impacts on confidentiality, integrity, and availability, making it a prime target for remote attacks.

CrowdSec has been tracking this vulnerability and its exploits since 10th of December 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2025-61757 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. CrowdSec data also reveals a clear uptick in attacks involving CVE-2025-61757 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Attackers exploit this vulnerability by sending unauthenticated requests to endpoints such as /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus and /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl, bypassing authentication to gain unauthorized access and potentially take over Oracle Identity Manager.