Threat Actors Activiely Exploiting Oracle Identity Manager Critical Vulnerability

Threat Actors Activiely Exploiting Oracle Identity Manager Critical Vulnerability

/ Categories Cyber Security Threats / by

U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors are actively exploiting a critical vulnerability identified in Oracle Identity Manager (OIM). CISA advised all government civilian executive branch institutions to patch the vulnerability by December 12, 2025, and suggests that all users must apply the patches without delay. Healthcare organizations that use OIM for managing EHRs in compliance with HIPAA need to pay attention to this advisory as well.

An unauthenticated remote attacker can easily exploit the remote code execution vulnerability via HTTP, enabling the execution of arbitrary code on vulnerable systems. The attacker could take full control of Oracle Identity Manager. The vulnerability is monitored as CVE-2025-61757 and has an assigned CVSS severity score of 9.8. The vulnerability is a result of lacking authentication for a critical feature in the REST Web Services part of Oracle Fusion Middleware. Exploiting the vulnerability enables the attacker to trick a security control into allowing public access to protected endpoints. Then, a script can be accessed and abused to execute malicious code.

Researchers Adam Kues and Shubham Shahflow of Searchlight Cyber identified the vulnerability and reported it to Oracle. The researchers discovered the vulnerability while looking into a security incident that took advantage of vulnerability CVE-2021-35587. According to Kues and Shahflow, unlike some of the earlier discovered vulnerabilities in Oracle Access Manager, vulnerability CVE-2025-61757 is rather trivial and can be exploited easily by threat actors.

The vulnerability is identified in Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0. Oracle issued patches to correct the vulnerability when it released its security updates for October 2025. Any end users who have not downloaded and installed the patches need to do so right away to avoid exploitation, since the researchers already announced all the required details to exploit the vulnerability.

Although it is uncertain how much threat actors are exploiting the vulnerability, it is probably a major target for ransomware groups. There is evidence that since August 30, 2025, an advanced persistent threat actor has potentially exploited the vulnerability.

Image credit: tippapatt, AdobeStock / logo©Oracle

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

John Blacksmith

John Blacksmith is a journalist with several years experience in both print and online publications. John has specialised in Information technology in the healthcare sector and in particular in healthcare data security and privacy. His focus on healthcare data means he has specialist knowledge of the HIPAA regulations. John has a degree in journalism and many years experience.
Twitter
LinkedIn

Related News

Stay Connected

  • Twitter
  • LinkedIn
  • Reddit
  • Mastodon

Subscribe

*Our Privacy Policy and Terms & Conditions