Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability, classified as CWE-306 (missing authentication for critical function), allows an attacker to access REST WebServices interfaces without providing any credentials. An attacker with network access to the system via HTTP protocol can send requests to protected REST endpoints without prior authentication. The low attack complexity (AC:L) and lack of privilege requirements (PR:N) and user interaction (UI:N) make the exploit trivial to execute.
Successful exploitation of the vulnerability leads to complete takeover of the Oracle Identity Manager system, including breach of confidentiality, integrity, and availability of data and services. An attacker can gain unauthorized access to managed identities and user privileges across the entire organization.
Immediately apply patches provided by Oracle as part of the Critical Patch Update from October 2025, available at https://www.oracle.com/security-alerts/cpuoct2025.html. Until the patch is deployed, it is recommended to restrict network access to the Oracle Identity Manager REST WebServices component only to trusted hosts using firewall or ACL rules.
Oracle Identity Manager (Oracle Fusion Middleware component) in versions 12.2.1.4.0 and 14.1.2.1.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOracle Identity Manager
APPOracle12.2.1.4.014.1.2.1.0
CISA KEV — detailsi
- Vendori
- Oracle ↗
- Producti
- Fusion Middleware
- Added to KEVi
- November 21, 2025
- Remediation deadline (US Federal)i
- December 12, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager.
Related vulnerabilities
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: OIM Legacy UI). Support...
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Core). Supported versio...
Pominięcie uwierzytelnienia w Oracle Identity Manager i Web Services Manager
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services)...
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could...