CISA Confirms Active Exploitation of Oracle Identity Manager Vulnerability (CVE-2025-61757)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a recently patched vulnerability in Oracle Identity Manager has been exploited in the wild, prompting urgent warnings for organizations that rely on Oracle’s Fusion Middleware platform.

What Is CVE-2025-61757?

The vulnerability, CVE-2025-61757, was addressed in Oracle’s October 2025 Critical Patch Update. It is a high-impact flaw that allows an unauthenticated attacker to achieve remote code execution (RCE) on vulnerable systems.

This means an attacker could:

• Run arbitrary commands

• Gain control of the Identity Manager environment

• Escalate privileges

• Move laterally across enterprise networks

• Access sensitive data tied to identity and access management

Oracle did not initially indicate that the flaw was being exploited, but CISA’s confirmation solidifies its status as an active threat.

Early Zero-Day Exploitation Indicators

Searchlight Cyber researchers discovered and privately reported the vulnerability to Oracle. According to their disclosure, the bug may have been exploited as a zero-day for several weeks before a patch was available.

After technical details and a proof-of-concept (PoC) were published, the SANS Technology Institute reviewed its honeypot logs and found attack attempts between August 30 and September 9, originating from multiple IP addresses known for scanning other products as well.

Initially, these attempts appeared malicious. However, Searchlight later clarified that the IP activity observed by SANS was associated with their own research and notification efforts, not hostile actors.

Why CISA Added the Vulnerability to the KEV Catalog

Despite the benign nature of the activity SANS identified, CISA added CVE-2025-61757 to its Known Exploited Vulnerabilities (KEV) list on Saturday. This designation is reserved only for vulnerabilities with verified evidence of exploitation, suggesting CISA received information from other trusted sources.

Federal agencies are now required to patch the flaw no later than December 12, 2025, underscoring the severity of the issue.

Oracle has not commented directly on the exploitation claims, instead referring users to its October security bulletin—which does not acknowledge active exploitation.

Key Takeaways for Organizations

1. Patch Immediately

Any system running Oracle Identity Manager must be updated to the October 2025 patched version or later.

2. Monitor for Indicators of Compromise

Given the potential for lateral movement and privilege escalation, organizations should:

• Review authentication logs

• Check for unusual administrative activities

• Audit identity lifecycle workflows for anomalies

3. Treat This as a Confirmed Exploit Scenario

CISA’s KEV listing indicates real-world exploitation beyond research activity.

4. Review Network Exposure

Ensure Oracle Identity Manager instances are not unnecessarily exposed to the internet.

Final Thoughts

CVE-2025-61757 highlights the risk posed by identity management platforms—high-value targets that sit at the center of authentication, authorization, and access workflows.

With confirmed exploitation, publicly available PoC code, and Oracle’s limited disclosure, defenders should assume that attackers are actively probing for this vulnerability and take immediate action to harden their environments.