CISA warns of actively exploited Oracle Identity Manager vulnerability
Take action: If you're running Oracle Identity Manager, be aware that it's actively attacked. Plan a very quick update to the October 2025 Critical Patch Update. If you can't patch right away, isolate the system to trusted networks only and use a Web Application Firewall with custom rules for this attack.
Learn More
CISA is warning of active exploitation of a critical remote code execution vulnerability in Oracle Identity Manager.
The flaw is tracked as CVE-2025-61757 (CVSS score 9.8), and is caused by a missing authentication check in the REST WebServices component of Oracle Identity Manager. Researchers discovered that Oracle Identity Manager employs a central security filter that can be circumvented by manipulating request parameters. Attackers can add the string ";.wadl" to URL endpoints, which tricks the authentication system into treating the request as one that doesn't require authentication.
Oracle patched this vulnerability as part of its October 2025 Critical Patch Update. Organizations running vulnerable versions of Oracle Identity Manager must immediately apply patches.
For systems where immediate patching is not feasible, CISA recommends implementing network segmentation to limit exposure to trusted internal networks, deploying Web Application Firewalls with custom rules to detect and block suspicious HTTP requests, and conducting audits of Identity Manager configurations and logs to detect anomalous activities.
