Overview
- CISA listed CVE-2025-61757 in its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to patch by December 12 under BOD 22-01.
- CVE-2025-61757 is a pre‑authentication remote code execution flaw in Oracle Identity Manager with a CVSS score of 9.8 affecting versions 12.2.1.4.0 and 14.1.2.1.0.
- Oracle addressed the issue in its October 21, 2025 security updates, but researchers warn the vulnerability is easily exploitable.
- Searchlight Cyber detailed a filter bypass using “?WSDL” or “;.wadl” to expose a Groovy compilation status endpoint, enabling code execution via a crafted HTTP POST at compile time.
- SANS logs show multiple POST attempts between August 30 and September 9 against the groovyscriptstatus endpoint from three IPs with the same user agent, suggesting possible zero‑day use prior to Oracle’s patch.