Nov 22, 2025Ravie LakshmananZero-Day / Software program Safety
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Friday added a vital safety flaw impacting Oracle Identification Supervisor to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The vulnerability in query is CVE-2025-61757 (CVSS rating: 9.8), a case of lacking authentication for a vital perform that may end up in pre-authenticated distant code execution. The vulnerability impacts variations 12.2.1.4.0 and 14.1.2.1.0. It was addressed by Oracle as a part of its quarterly updates launched final month.
“Oracle Fusion Middleware accommodates a lacking authentication for a vital perform vulnerability, permitting unauthenticated distant attackers to take over Identification Supervisor,” CISA mentioned.
Searchlight Cyber researchers Adam Kues and Shubham Shah, who found the flaw, mentioned it may allow an attacker to entry API endpoints that, in flip, can permit them “to control authentication flows, escalate privileges, and transfer laterally throughout a company’s core methods.”
Particularly, it stems from a bypass of a safety filter that tips protected endpoints into being handled as publicly accessible by merely including “?WSDL” or “;.wadl” to any URI. This, in flip, is the results of a defective allow-list mechanism primarily based on common expressions or string matching towards the request URI.
“This method could be very error-prone, and there are sometimes methods to trick these filters into considering we’re accessing an unauthenticated route once we’re not,” the researchers famous.
The authentication bypass can then be paired with a request to the “/iam/governance/applicationmanagement/api/v1/purposes/groovyscriptstatus” endpoint to realize distant code execution by sending a specifically crafted HTTP POST. Though the endpoint is simply meant for checking the syntax of Groovy code and never executing it, Searchlight Cyber mentioned it was in a position to “write a Groovy annotation that executes at compile time, despite the fact that the compiled code shouldn’t be really run.”
The addition of CVE-2025-61757 to the KEV catalog comes days after Johannes B. Ullrich, the dean of analysis on the SANS Expertise Institute, mentioned an evaluation of honeypot logs revealed a number of makes an attempt to entry the URL “/iam/governance/applicationmanagement/api/v1/purposes/groovyscriptstatus;.wadl” by way of HTTP POST requests between August 30 and September 9, 2025.
“There are a number of completely different IP addresses scanning for it, however all of them use the identical consumer agent, which means that we could also be coping with a single attacker,” Ullrich mentioned. “Sadly, we didn’t seize the our bodies for these requests, however they have been all POST requests. The content-length header indicated a 556-byte payload.”
This means that the vulnerability could have been exploited as a zero-day vulnerability, nicely earlier than a patch was shipped by Oracle. The IP addresses from which the makes an attempt originated are listed under –
89.238.132[.]76
185.245.82[.]81
138.199.29[.]153
In gentle of energetic exploitation, Federal Civilian Government Department (FCEB) businesses are required to use the mandatory patches by December 12, 2025, to safe their networks.
