The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a brand new Oracle vulnerability to its Identified Exploited Vulnerabilities (KEV) catalog, warning that attackers are already exploiting it in real-world assaults.
The bug, tracked as CVE-2025-61757, impacts Oracle Id Supervisor, a part of Oracle Fusion Middleware.
The flaw is rated as a “lacking authentication for essential operate” subject, that means a distant attacker can entry highly effective features within the product with out first logging in.
In follow, this opens the door to full distant code execution and full takeover of the id platform.
| Discipline | Worth |
|---|---|
| CVE ID | CVE-2025-61757 |
| Vulnerability Kind | Lacking Authentication for Crucial Operate |
| Affected Product | Oracle Fusion Middleware / Oracle Id Supervisor |
| Affected Variations | 12c 12.2.1.4.0 and sure others |
Pre-auth RCE in extensively used id software program
Many enterprises and authorities companies use Oracle Id Supervisor (also called Oracle Id Governance) to handle person accounts, credentials, and entry rights.
As a result of it sits on the heart of id and entry administration, a compromise of this technique can shortly result in domain-wide or cloud-wide compromise.
Safety researchers from Searchlight Cyber’s Assetnote workforce found that sure Oracle Id Supervisor REST APIs might be accessed with out correct authentication checks.
By abusing how the product handles URL patterns and filters, an attacker can trick the system into treating protected endpoints as in the event that they had been public.
As soon as previous authentication, the attacker can attain performance that processes Groovy scripts. Though the function is meant solely for syntax checking, the researchers confirmed that it may be abused to run code throughout compilation.
This turns a easy logic flaw into a robust pre-authentication distant code execution (RCE) vulnerability.
The analysis follows an earlier main breach of Oracle Cloud’s login service in January, through which attackers reportedly exploited an older Oracle Entry Supervisor flaw (CVE-2021-35587) to achieve RCE and steal tens of millions of data.
The brand new bug, CVE-2025-61757, impacts associated id elements and will have been used equally towards Oracle’s personal infrastructure if left unpatched.
CISA notes that the vulnerability is especially regarding as a result of it may be exploited over the community by an unauthenticated attacker.
Provided that many Oracle Id Supervisor cases are uncovered to the web for person entry, the assault floor is critical. CVE-2025-61757 was added to CISA’s KEV catalog on November 21, 2025.
Federal civilian companies are ordered to use Oracle’s fixes, observe Binding Operational Directive (BOD) 22-01 steering for cloud providers, or discontinue use of the product by December 12, 2025.
Organizations working Oracle Fusion Middleware and Oracle Id Supervisor ought to urgently deploy the newest Oracle Crucial Patch Replace, assessment exterior publicity of id providers, and monitor for suspicious entry to administrative APIs and scripting options.
Observe us on Google Information, LinkedIn, and X to Get On the spot Updates and set GBH as a Most popular Supply in Google.
