CVE-2025-61757

CRITICAL KEV NUCLEI

Oracle Identity Manager 12.2.1.4.0 and 14.1.2.1.0 - Unauthenticated Remote Code Execution via REST WebServices

Title source: llm

Exploitation Summary

CVE-2025-61757 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 21, 2025. EIP tracks 2 public exploits from researchers including Jinxia62, ngominhquocngu. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python-based scanner for detecting CVE-2025-61757, an authentication bypass and remote command execution vulnerability in Oracle Identity Manager. The tool checks for Oracle Identity Manager instances and tests for both authentication bypass and RCE capabilities.

Description

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (2)

nomisec SCANNER 4 stars

by Jinxia62 · poc

https://github.com/Jinxia62/Oracle-Identity-Manager-CVE-2025-61757

View Code ZIP pw:eip

This repository contains a Python-based scanner for detecting CVE-2025-61757, an authentication bypass and remote command execution vulnerability in Oracle Identity Manager. The tool checks for Oracle Identity Manager instances and tests for both authentication bypass and RCE capabilities.

Classification

Scanner 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Oracle Identity Manager

No auth needed

Prerequisites: Network access to the target Oracle Identity Manager instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by ngominhquocngu · poc

https://github.com/ngominhquocngu/Blackash-CVE-2025-61757

View Code ZIP pw:eip

This repository contains a Python-based PoC for CVE-2025-61757, a pre-authentication RCE vulnerability in Oracle Identity Manager's REST API. The script tests for command injection via semicolon-based payloads in user creation endpoints and attempts privilege escalation by assigning admin roles.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Oracle Identity Manager (12.2.1.4.0, 14.1.2.1.0)

No auth needed

Prerequisites: Network access to the target OIM REST API · Unpatched Oracle Identity Manager instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Oracle Identity Manager REST WebServices - Authentication Bypass

CRITICALVERIFIEDby ritikchaddha

Shodan: title:"oracle access management"

FOFA: title="oracle access management"

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory

https://www.oracle.com/security-alerts/cpuoct2025.html

Third Party Advisory

https://isc.sans.edu/diary/rss/32506

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61757

Scores

CVSS v3 9.8

EPSS 0.8783

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2025-11-21

VulnCheck KEV 2025-11-20

ENISA EUVD EUVD-2025-35253

CWE

CWE-306

Status published

Products (2)

oracle/identity_manager 12.2.1.4.0

oracle/identity_manager 14.1.2.1.0

Published Oct 21, 2025

KEV Added Nov 21, 2025

Tracked Since Feb 18, 2026