The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a brand new Oracle vulnerability to its Recognized Exploited Vulnerabilities (KEV) catalog, warning that attackers are already exploiting it in real-world assaults.
The bug, tracked as CVE-2025-61757, impacts Oracle Identification Supervisor, a part of Oracle Fusion Middleware.
The flaw is rated as a “lacking authentication for vital perform” situation, that means a distant attacker can entry highly effective features within the product with out first logging in.
In observe, this opens the door to full distant code execution and full takeover of the id platform.
| Discipline | Worth |
|---|---|
| CVE ID | CVE-2025-61757 |
| Vulnerability Sort | Lacking Authentication for Essential Operate |
| Affected Product | Oracle Fusion Middleware / Oracle Identification Supervisor |
| Affected Variations | 12c 12.2.1.4.0 and sure others |
Pre-auth RCE in extensively used id software program
Many enterprises and authorities companies use Oracle Identification Supervisor (often known as Oracle Identification Governance) to handle consumer accounts, credentials, and entry rights.
As a result of it sits on the heart of id and entry administration, a compromise of this method can rapidly result in domain-wide or cloud-wide compromise.
Safety researchers from Searchlight Cyber’s Assetnote crew found that sure Oracle Identification Supervisor REST APIs may very well be accessed with out correct authentication checks.
By abusing how the product handles URL patterns and filters, an attacker can trick the system into treating protected endpoints as in the event that they had been public.
As soon as previous authentication, the attacker can attain performance that processes Groovy scripts. Though the function is meant solely for syntax checking, the researchers confirmed that it may be abused to run code throughout compilation.
This turns a easy logic flaw into a robust pre-authentication distant code execution (RCE) vulnerability.
The analysis follows an earlier main breach of Oracle Cloud’s login service in January, during which attackers reportedly exploited an older Oracle Entry Supervisor flaw (CVE-2021-35587) to realize RCE and steal thousands and thousands of information.
The brand new bug, CVE-2025-61757, impacts associated id parts and will have been used equally in opposition to Oracle’s personal infrastructure if left unpatched.
CISA notes that the vulnerability is especially regarding as a result of it may be exploited over the community by an unauthenticated attacker.
On condition that many Oracle Identification Supervisor cases are uncovered to the web for consumer entry, the assault floor is critical. CVE-2025-61757 was added to CISA’s KEV catalog on November 21, 2025.
Federal civilian companies are ordered to use Oracle’s fixes, observe Binding Operational Directive (BOD) 22-01 steering for cloud providers, or discontinue use of the product by December 12, 2025.
Organizations operating Oracle Fusion Middleware and Oracle Identification Supervisor ought to urgently deploy the newest Oracle Essential Patch Replace, overview exterior publicity of id providers, and monitor for suspicious entry to administrative APIs and scripting options.
Observe us on Google Information, LinkedIn, and X to Get Prompt Updates and set GBH as a Most popular Supply in Google.
