{"id":18446,"date":"2025-12-05T03:15:17","date_gmt":"2025-12-05T03:15:17","guid":{"rendered":"https:\/\/sekuritasit.com\/?p=18446"},"modified":"2025-12-05T03:15:17","modified_gmt":"2025-12-05T03:15:17","slug":"oracle-identity-manager-pre-auth-rce","status":"publish","type":"post","link":"https:\/\/sekuritasit.com\/index.php\/2025\/12\/05\/oracle-identity-manager-pre-auth-rce\/","title":{"rendered":"Oracle Identity Manager Pre-Auth RCE"},"content":{"rendered":"\n\n\n\n <\/colgroup>\n\n\n\n\n
\n

\n What is the Vulnerability?\n <\/p>\n<\/td>\n

\n

\n CVE-2025-61757 is a critical pre-authentication remote code execution vulnerability in Oracle Identity Manager\u2019s REST WebServices. This vulnerability allows an unauthenticated attacker to exploit URI and matrix parameter parsing weaknesses to bypass authentication and execute arbitrary code over HTTP.<\/p>\n

Successful exploitation results in full compromise of Identity Manager servers- enabling attackers to steal credentials, escalate privilege across connected systems, move laterally within the infrastructure, and persist undetected. As Identity Manager is a core identity and access control system, the downstream impact is severe, including potential domain or cloud takeover.<\/p>\n

This vulnerability has been assigned a CVSS 9.8 (Critical) rating and is considered easily exploitable. The U.S. CISA has added the associated CVE to its Known Exploited Vulnerabilities (KEV) catalog, indicating active or imminent exploitation in the wild.\n <\/p>\n<\/td>\n<\/tr>\n

\n

\n What is the recommended Mitigation?\n <\/p>\n<\/td>\n

\n
    \n
  • \n

    \n Apply Oracle\u2019s October 2025 Critical Patch Update for CVE-2025-61757 immediately
    \n
    \n .
    \n <\/strong>
    \n This patch directly addresses the authentication bypass and pre-auth RCE path for affected Oracle Identity Manager\/Identity Governance REST WebServices:
    \n
    \n 12.2.1.4.0
    \n
    \n 14.1.2.1.0\n <\/p>\n<\/li>\n

  • \n

    \n Restrict network access to OIM\/OIG management endpoints- block direct exposure to the internet and allow access only from trusted administrative networks.\n <\/p>\n<\/li>\n

  • \n

    \n Monitor and control outbound connections from Identity Manager servers:\n <\/p>\n

      \n
    • \n

      \n Watch for unexpected callbacks, external network beacons, or suspicious DNS resolutions.\n <\/p>\n<\/li>\n

    • \n

      \n Implement egress allowlists for management servers to prevent command-and-control style communications.\n <\/p>\n<\/li>\n

    • \n

      \n If a compromise is suspected, rotate service accounts and identity-related credentials.\n <\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n

\n

\n What FortiGuard Coverage is available?\n <\/p>\n<\/td>\n

\n