Introduction
A single unauthenticated HTTP request can result in full compromise of Oracle Identity Manager deployments running some of the most widely used versions in enterprise environments. CVE-2025-61757, disclosed in Oracle's October 2025 Critical Patch Update, allows remote attackers to take over affected systems, putting identity governance and access management at risk for organizations that have not yet applied the fix.
Oracle Identity Manager is a central component of Oracle's enterprise identity and access management suite. It is used by large organizations worldwide to automate user provisioning, enforce access policies, and maintain audit trails. The product is deployed in complex environments and often integrates with critical business systems.
Technical Information
CVE-2025-61757 is a vulnerability in the REST WebServices component of Oracle Identity Manager, part of the Fusion Middleware platform. The flaw is present in versions 12.2.1.4.0 and 14.1.2.1.0. According to Oracle's advisory and CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is:
- Exploitable remotely over a network using HTTP
- Requires no authentication or user interaction
- Has low attack complexity
- Results in full compromise (confidentiality, integrity, and availability)
Oracle has not published further technical details, root cause analysis, or code snippets for this vulnerability. No public exploit or proof of concept is available as of the advisory date. The vulnerability is considered easily exploitable and can lead to a complete takeover of the Oracle Identity Manager instance.
Affected Systems and Versions
- Oracle Identity Manager 12.2.1.4.0
- Oracle Identity Manager 14.1.2.1.0
Only these specific versions are listed as affected. The vulnerability is present in the REST WebServices component. All configurations of these versions are at risk if the REST API is accessible over the network.
Vendor Security History
Oracle has a history of critical vulnerabilities in its identity management products. Notably, CVE-2017-10151 affected Oracle Identity Manager and allowed unauthenticated remote compromise via a default account. Oracle typically addresses such issues in its quarterly Critical Patch Update cycle and provides detailed patching instructions. The company maintains a large portfolio of enterprise software and is generally responsive to severe vulnerabilities, but the complexity of its products means that security teams must remain vigilant for new advisories.