The Cybersecurity and Infrastructure Safety Company (CISA) is urging organizations to instantly deal with a crucial safety flaw in Oracle Id Supervisor following reviews of lively exploitation.
The vulnerability, tracked as CVE-2025-61757, permits unauthenticated distant attackers to execute arbitrary code on affected programs, posing a extreme menace to enterprise and authorities networks.
This warning comes within the wake of an enormous breach earlier this 12 months involving Oracle Cloud’s personal login service, which uncovered over six million information.
Safety researchers at Searchlight Cyber recognized this vulnerability whereas analyzing the assault floor of Oracle Cloud’s login host. The investigation revealed that the identical software program stack compromised in January, particularly the Oracle Id Governance Suite, contained a extreme pre-authentication Distant Code Execution (RCE) flaw.
This discovery highlighted a crucial oversight in how the appliance dealt with authentication filters, leaving tons of of tenants weak to finish compromise with out requiring any legitimate credentials.
The vulnerability resides inside the software’s SecurityFilter mechanism discovered within the net.xml configuration. This filter was designed to handle authentication checks however relied on a flawed common expression whitelist.
Builders meant to permit unauthenticated entry to Internet Utility Description Language (WADL) recordsdata, however the implementation did not account for the way Java interprets request Uniform Useful resource Identifiers (URIs).
Attackers can bypass authentication totally by appending particular matrix parameters to the URL. The analysis group demonstrated that including ;.wadl to a request URI methods the server into treating the request as a innocent WADL retrieval whereas the underlying Java servlet processes it as a legitimate API name.
This logical discrepancy grants attackers unrestricted entry to restricted REST endpoints, resembling /iam/governance/applicationmanagement.
As soon as authentication is bypassed, menace actors can leverage the groovyscriptstatus endpoint to realize code execution. Though this endpoint is meant solely to syntax-check Groovy scripts with out operating them, it does carry out compilation.
By injecting a script containing the @ASTTest annotation, attackers can power the Java compiler to execute arbitrary code through the compilation section. This system successfully turns a syntax checker into a totally purposeful distant shell, granting management over the host system.
This vulnerability is especially harmful as a result of it requires no prior entry or credentials. The mix of a trivial authentication bypass and a dependable methodology for code execution makes it a beautiful goal for ransomware teams and state-sponsored actors.
Organizations operating Oracle Id Governance Suite 12c are suggested to use the related patches instantly or isolate the affected companies from the general public web.
CVE IDAffected ProductVulnerability TypeImpactSeverityCVE-2025-61757Oracle Id Governance Suite 12c (12.2.1.4.0)Pre-Authentication RCERemote Code Execution, Full System CompromiseCritical (9.8)CVE-2021-35587Oracle Entry ManagerPre-Authentication RCEData Exfiltration, Tenant CompromiseCritical
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
