At the end of October 2025, Oracle released an emergency security alert addressing CVE-2025-61757, a high-severity authentication-bypass flaw that enables remote code execution in the Identity Manager product of Oracle Fusion Middleware (versions 12.2.1.4.0 and 14.1.2.1.0). Multiple threat actors are already exploiting the vulnerability in the wild, and it was added to CISA’s Known Exploited Vulnerabilities catalog on November 21, 2025.
Oracle Identity Manager is widely deployed across large enterprises, particularly in finance, government, healthcare, and other sectors that rely heavily on Oracle infrastructure. Because it remains a core identity platform for many organizations, this vulnerability significantly elevates risk, making CVE-2025-61757 especially critical.
The Vulnerability
Recent disclosures indicate that, unlike previous Oracle CVEs, this vulnerability is straightforward and highly susceptible to exploitation by threat actors. The vulnerability originates from an authentication bypass in Oracle Identity Manager’s REST APIs, where attackers can trick the security filter into treating protected endpoints as public by appending parameters such as ?WSDL or ;.wadl to the URL path. This exposes sensitive endpoints like:
After gaining unauthenticated access, attackers can interact with a Groovy script compilation endpoint. Although this endpoint is not intended to execute scripts, it can be exploited to run malicious code during the compilation process by abusing Groovy’s annotation-processing feature.
This flaw chain allowed researchers to achieve pre-authentication remote code execution on vulnerable Oracle Identity Manager instances.
What We’ve Seen
Over the past week, more than 300,000 attack attempts have been detected targeting this vulnerability. These attacks are occurring globally across over 18 countries, with the majority focused on the US and France.
Computing, healthcare, and business sites are hit the hardest by attack attempts.
Bottom Line
CVE-2025-61757 is a critical authentication bypass vulnerability with a high operational impact, potentially allowing attackers to achieve remote code execution.
The Imperva Threat Research group tracked and identified the exploitation chain of this vulnerability, ensuring that Imperva customers with Elastic WAF, Cloud WAF, or On-Prem WAF are now protected out of the box.
The post CVE-2025-61757: Imperva Customers Protected Against Critical Oracle Identity Manager Authentication Bypass Leading to Remote Code Execution appeared first on Blog.