The vulnerability CVE-2025-61757 in Oracle Identity Manager is a critical zero-day flaw characterized by missing authentication on a critical function, allowing unauthenticated remote code execution (RCE). The root cause is a bypass of a security filter designed to restrict access to certain API endpoints. This filter relies on an error-prone allow-list mechanism using regular expressions or string matching against request URIs. Attackers can append parameters such as "?WSDL" or ";.wadl" to URIs, tricking the system into treating protected endpoints as publicly accessible. Specifically, the vulnerable endpoint "/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus" is intended only for Groovy code syntax checking, not execution. However, attackers can send specially crafted HTTP POST requests containing Groovy annotations that execute code at compile time, effectively achieving RCE without running the compiled code. This flaw enables attackers to manipulate authentication flows, escalate privileges, and move laterally within an organization's core systems. The vulnerability affects Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0 and was patched in Oracle's quarterly update prior to November 2025. Evidence of active exploitation was observed via honeypot logs showing multiple scanning attempts from different IP addresses using consistent user agents, indicating a likely single threat actor. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog and mandated patching for federal agencies by December 12, 2025. The vulnerability's high CVSS score of 9.8 reflects its criticality due to ease of exploitation, lack of authentication requirement, and potential for full system compromise.

For European organizations, the impact of this vulnerability is severe. Oracle Identity Manager is widely used in enterprise environments for identity and access management, making it a critical component for securing user credentials and permissions. Exploitation could lead to unauthorized access to sensitive identity data, full compromise of identity management systems, and subsequent lateral movement across corporate networks. This could result in data breaches, disruption of business operations, and loss of trust. Given the ability to execute code remotely without authentication, attackers can deploy malware, create backdoors, or manipulate authentication flows to escalate privileges undetected. The active exploitation in the wild increases the risk of targeted attacks against European entities, especially those in finance, government, healthcare, and critical infrastructure sectors that rely heavily on Oracle products. The potential for widespread impact is high if organizations delay patching or lack adequate detection capabilities.

European organizations should immediately verify if they use Oracle Identity Manager versions 12.2.1.4.0 or 14.1.2.1.0 and prioritize applying the Oracle quarterly patch that addresses CVE-2025-61757. Beyond patching, organizations should implement strict network segmentation to limit access to identity management systems and monitor API endpoints for unusual query parameters such as "?WSDL" or ";.wadl". Deploy web application firewalls (WAFs) with custom rules to detect and block suspicious URI manipulations targeting the vulnerable endpoint. Enhance logging and monitoring of HTTP POST requests to the "/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus" endpoint, focusing on anomalous payload sizes or patterns. Conduct threat hunting exercises to identify potential indicators of compromise related to this vulnerability. Restrict administrative access to Oracle Identity Manager to trusted networks and users, and enforce multi-factor authentication (MFA) where possible. Finally, maintain up-to-date threat intelligence feeds and coordinate with national cybersecurity agencies for emerging exploit information.