CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-61757

CVSS 9.8v3.1pub. 2025-10-21upd. 2025-11-24

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

🤖 AI Analysis
How it works

The vulnerability, classified as CWE-306 (missing authentication for critical function), allows an attacker to access REST WebServices interfaces without providing any credentials. An attacker with network access to the system via HTTP protocol can send requests to protected REST endpoints without prior authentication. The low attack complexity (AC:L) and lack of privilege requirements (PR:N) and user interaction (UI:N) make the exploit trivial to execute.

Impact

Successful exploitation of the vulnerability leads to complete takeover of the Oracle Identity Manager system, including breach of confidentiality, integrity, and availability of data and services. An attacker can gain unauthorized access to managed identities and user privileges across the entire organization.

Mitigation & patch

Immediately apply patches provided by Oracle as part of the Critical Patch Update from October 2025, available at https://www.oracle.com/security-alerts/cpuoct2025.html. Until the patch is deployed, it is recommended to restrict network access to the Oracle Identity Manager REST WebServices component only to trusted hosts using firewall or ACL rules.

Who is affected

Oracle Identity Manager (Oracle Fusion Middleware component) in versions 12.2.1.4.0 and 14.1.2.1.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Oracle Identity Manager

    APP
    Oracle
    12.2.1.4.014.1.2.1.0

CISA KEV — detailsi

Vendori
Oracle
Producti
Fusion Middleware
Added to KEVi
November 21, 2025
Remediation deadline (US Federal)i
December 12, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 12 grudnia 2025
Tags
Auth BypassDoS
CWE
References

Related vulnerabilities

CVE-2026-46807CRITICAL9.8ten sam produkt

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: OIM Legacy UI). Support...

CVE-2026-35268CRITICAL9.9ten sam produkt

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Core). Supported versio...

CVE-2026-21992CRITICAL9.8PL ✓ten sam produkt

Pominięcie uwierzytelnienia w Oracle Identity Manager i Web Services Manager

CVE-2019-2729CRITICAL9.8ten sam produkt

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services)...

CVE-2017-15095CRITICAL9.8ten sam produkt

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could...