The U.S. Cybersecurity & Infrastructure Safety Company (CISA) is warning authorities businesses to patch an Oracle Id Supervisor tracked as CVE-2025-61757 that has been exploited in assaults, probably as a zero-day.
CVE-2025-61757 is a pre-authentication RCE vulnerability in Oracle Id Supervisor, found and disclosed by Searchlight Cyber analysts Adam Kues and Shubham Shahflaw.
The flaw stems from an authentication bypass in Oracle Id Supervisor’s REST APIs, the place a safety filter will be tricked into treating protected endpoints as publicly accessible by appending parameters like ?WSDL or ;.wadl to URLpaths.
As soon as unauthenticated entry is gained, attackers can attain a Groovy script, which is a compilation endpoint that doesn’t usually execute a script. Nonetheless, it may be abused to run malicious code at compile time by way of Groovy’s annotation-processing options.
This chain of flaws enabled the researchers to realize pre-authentication distant code execution on affected Oracle Id Supervisor cases.
The flaw was fastened as a part of Oracle’s October 2025 safety updates, launched on October 21.
Yesterday, Searchlight Cyber launched a technical report detailing the flaw and offering all the knowledge required to use it.
“Given the complexity of some earlier Oracle Entry Supervisor vulnerabilities, this one is considerably trivial and simply exploitable by risk actors,” warned the researchers.
CVE-2025-61757 exploited in assaults
Immediately, CISA has added the Oracle CVE-2025-61757 vulnerability to its Identified Exploited Vulnerabilities (KEV) catalog and given Federal Civilian Government Department (FCEB) businesses till December 12 to patch the flaw as mandated by the Binding Operational Directive (BOD) 22-01.
“The sort of vulnerability is a frequent assault vector for malicious cyber actors and poses important dangers to the federal enterprise,” warned CISA.
Whereas CISA has not shared particulars of how the flaw was exploited, Johannes Ullrich, the Dean of Analysis for SANS Expertise Institute, warned yesterday that the flaw might have been exploited as a zero-day as early as August 30.
“This URL was accessed a number of instances between August thirtieth and September ninth this yr, properly earlier than Oracle patched the difficulty,” defined Ullrich in an ISC Handler Diary.
“There are a number of completely different IP addresses scanning for it, however all of them use the identical person agent, which means that we could also be coping with a single attacker.”
In line with Ullrich, the risk actors issued HTTP POST requests to the next endpoints, which match the exploit shared by Searchlight Cyber.
/iam/governance/applicationmanagement/templates;.wadl
/iam/governance/applicationmanagement/api/v1/purposes/groovyscriptstatus;.wadl
The researcher says the makes an attempt got here from three completely different IP addresses, 89.238.132[.]76, 185.245.82[.]81, 138.199.29[.]153, however all used the identical browser person agent, which corresponds to Google Chrome 60 on Home windows 10.
BleepingComputer contacted Oracle to ask whether or not they have detected the flaw exploited in assaults, and can replace the story if we get a response.
As MCP (Mannequin Context Protocol) turns into the usual for connecting LLMs to instruments and knowledge, safety groups are shifting quick to maintain these new providers secure.
This free cheat sheet outlines 7 finest practices you can begin utilizing at present.
