Critical Vulnerability in Oracle OIM Under Active Exploitation
Executive Summary
On October 2025, Oracle released a patch advisory for several critical vulnerabilities, including disclosure of a flaw within its Identity Manager product tracked as CVE-2025-61757. On November 20, 2025, Searchlight Cyber published a proof of concept (PoC) write up and shortly after, the U.S Cybersecurity & Infrastructure Security Agency (CISA) confirmed active exploitation of this vulnerability in the wild.
Successful exploitation allows attackers to remotely execute remote code on the Identity Manager server due to a lack of validation in how certain REST requests are processed. Once compromised, attackers can gain full control of the system.
Because the flaw requires no authentication and can provide attackers with full system compromise, Beazley Security recommends that affected organizations using Oracle Identity Manager (OIM) patch immediately. Compromise of Identity Manager is likely to result in credential theft and further lateral movement within environments leveraging OIM.
Affected Systems and Products
Oracle released a critical patch advisory stating the following Oracle Identity Manager (OIM) versions are impacted by this vulnerability. Please see the patches section of this document for more details.
Mitigations and Workarounds
Given the active exploitation and public access to exploit concepts, Beazley Security strongly recommends organizationspatch immediately. Oracle has released patches to remediate this vulnerability, please see the “patches” section below for more information.
If patching cannot be immediately applied, other mitigations may temporarily reduce the risk of exposure:
- Restrict network access to OIM to trusted IP ranges only.
- Deploy a web application firewall (WAF) with rules to block suspicious or unexpected requests targeting OIM endpoints
- Monitor OIM servers for unusual activity, including unexpected process execution and outbound network connections
Patches
Patches for CVE-2025-61757 are made available through Oracle’s Patch Availability Document (requires Oracle login) which provide installation instructions for Identity Manager versions and the underlying Oracle Fusion Middleware.
Indicators of Compromise (IOC)
While no specific IoCs have been provided by Oracle or CISA at the time of this writing, the following may indicate remote exploitation attempts of Oracle Identity Manager (OIM):
Look for requests hitting OIM management endpoints with unexpected parameters appended to them, such as ;.wadl or ?WSDL:
- /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl
- /iam/governance/applicationmanagement/templates;.wadl
- /iam/governance/applicationmanagement/api/v1/...;.wadl
- Other repeated ;.wadl requests coming from unexpected sources
- Unexpected invocation of the Groovy compiler in OIM logs
- Unexpected scripts or files on the OIM filesystem
Technical Details
The vulnerability in Oracle Identity Manager (OIM) tracked as CVE-2025-61757 exists in the pre-authentication handling of the application stack. Specifically, the flaw stems from insufficient input validation in components that process HTTP requests before authentication checks occur. This allows an attacker to send an HTTP request to the OIM endpoint which is executed by the server without verification of the user’s identity.
The design in OIMs REST interface includes a global “SecurityFilter”, or java servlet that acts as a centralized authentication and authorization mechanism for the REST APIs within the product. This filter is in place to determine whether a request must be authenticated based on rules within its configuration. Researchers at Searchlight Cyber discovered that this filter contains an overly permissive whitelist rule where any request with that ends with .wadl will bypass authentication checks. WADL is an XML-based format that is used by developers to document REST API operations. The filter was likely originally designed to allow unauthenticated requests to these .wadl system documentation files for easier inter-system operation.
Researchers found that appending “;.wadl” to requests targeting OIM REST endpoints cause the security filter to misclassify them as documentation lookups. As a result, sensitive API endpoints can be accessed without credentials providing attackers with a pre-authentication bypass. In their proof of concept, the researchers identified and targeted a “groovyscriptstatus” endpoint, which is used by OIM to validate and compile Groovy scripts.
By submitting a crafted Groovy payload through the endpoint with the wadl bypass technique:
/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl
they were able to stage code for compiling and execution, resulting unauthenticated remote code execution on the underlying OIM server.
How Beazley Security is Responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
Sources
Aware of an incident impacting your industry? Let us know: