CVE-2025-61757 is a critical security vulnerability discovered in Oracle Identity Manager, reported by Searchlight Cyber and patched by Oracle in its October 2025 Critical Patch Update. The vulnerability arises from a design flaw where URLs ending with the suffix ".wadl" bypass authentication controls. Simply appending ".wadl" does not work, but appending ";.wadl" to a URL allows attackers to access arbitrary endpoints without authentication. This bypass enables attackers to reach sensitive API endpoints, such as /iam/governance/applicationmanagement/templates;.wadl, and execute remote code via crafted POST requests. Searchlight Cyber provided a proof-of-concept demonstrating remote code execution through this method. Analysis of server logs revealed multiple scans from different IP addresses using the same user agent, indicating a likely single attacker or coordinated group actively probing for this vulnerability before the patch was released. The attacker IPs also scanned for other vulnerabilities, including CVE-2025-4581 and Log4j exploits, suggesting a broad targeting strategy. The vulnerability does not require user interaction or authentication, making exploitation straightforward. The lack of captured request bodies limits full insight into payloads used, but the observed content-length suggests substantial exploit attempts. Oracle Identity Manager is widely used for identity and access management in enterprises, making this vulnerability particularly dangerous due to potential unauthorized access and remote code execution capabilities.

For European organizations, the impact of CVE-2025-61757 can be severe. Oracle Identity Manager is often deployed in large enterprises, government agencies, and critical infrastructure sectors for managing user identities and access rights. Exploitation could lead to unauthorized access to sensitive identity data, manipulation of access controls, and full system compromise via remote code execution. This threatens confidentiality, integrity, and availability of critical systems. Attackers could move laterally within networks, escalate privileges, and disrupt business operations or exfiltrate sensitive data. Given the ease of exploitation and lack of authentication requirement, attackers can rapidly compromise vulnerable systems. The presence of active scanning prior to patch release indicates that threat actors are aware and attempting exploitation, increasing risk for unpatched organizations. The impact is heightened in regulated sectors subject to GDPR and other compliance regimes, where data breaches can result in significant fines and reputational damage.

European organizations should immediately apply Oracle's October 2025 Critical Patch Update to remediate CVE-2025-61757. Beyond patching, organizations should: 1) Implement strict network segmentation and restrict access to Oracle Identity Manager interfaces to trusted internal networks and VPNs. 2) Deploy web application firewalls (WAFs) with custom rules to detect and block requests containing ";.wadl" URL suffixes or anomalous POST requests targeting Identity Manager endpoints. 3) Conduct thorough log analysis to identify any past exploitation attempts, focusing on unusual POST requests with the specified user agent or from suspicious IP addresses. 4) Enforce multi-factor authentication (MFA) on administrative access to reduce impact if partial compromise occurs. 5) Regularly audit and monitor identity management systems for unauthorized changes or anomalous activity. 6) Coordinate with threat intelligence teams to stay updated on emerging exploitation techniques related to this vulnerability. 7) Consider deploying endpoint detection and response (EDR) solutions to detect potential lateral movement or post-exploitation activity stemming from this vulnerability.