CVE-2025-61757

CRITICAL KEV NUCLEI

Oracle Identity Manager - Missing Authentication

Title source: rule

Description

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (3)

nomisec SCANNER 4 stars

by Jinxia62 · poc

https://github.com/Jinxia62/Oracle-Identity-Manager-CVE-2025-61757

View Code ZIP pw:eip

nomisec WORKING POC

by ngominhquocngu · poc

https://github.com/ngominhquocngu/Blackash-CVE-2025-61757

View Code ZIP pw:eip

vulncheck_xdb

remote-auth

https://github.com/Ashwesker/Blackash-CVE-2025-61757

View on vulncheck_xdb

Nuclei Templates (1)

Oracle Identity Manager REST WebServices - Authentication Bypass

CRITICALVERIFIEDby ritikchaddha

Shodan: title:"oracle access management"

FOFA: title="oracle access management"

References (3)

[Vendor Advisory] https://www.oracle.com/security-alerts/cpuoct2025.html

[Third Party Advisory] https://isc.sans.edu/diary/rss/32506

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61757

Scores

CVSS v3 9.8

EPSS 0.8421

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

CISA KEV 2025-11-21

VulnCheck KEV 2025-11-20

ENISA EUVD EUVD-2025-35253

Classification

CWE

CWE-306

Status published

Affected Products (2)

oracle/identity_manager

oracle/identity_manager

Timeline

Published Oct 21, 2025

KEV Added Nov 21, 2025

Tracked Since Feb 18, 2026