The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Friday added a crucial security flaw impacting Oracle Id Supervisor to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
The vulnerability in query is CVE-2025-61757 (CVSS rating: 9.8), a case of lacking authentication for a crucial perform that can lead to pre-authenticated distant code execution. The vulnerability impacts variations 12.2.1.4.0 and 14.1.2.1.0. It was addressed by Oracle as a part of its quarterly updates launched final month.
“Oracle Fusion Middleware comprises a lacking authentication for a crucial perform vulnerability, permitting unauthenticated distant attackers to take over Id Supervisor,” CISA mentioned.
Searchlight Cyber researchers Adam Kues and Shubham Shah, who found the flaw, mentioned it might allow an attacker to entry API endpoints that, in flip, can enable them “to govern authentication flows, escalate privileges, and transfer laterally throughout a company’s core techniques.”
Particularly, it stems from a bypass of a security filter that methods protected endpoints into being handled as publicly accessible by merely including “?WSDL” or “;.wadl” to any URI. This, in flip, is the results of a defective allow-list mechanism primarily based on common expressions or string matching in opposition to the request URI.
“This method may be very error-prone, and there are usually methods to trick these filters into considering we’re accessing an unauthenticated route once we’re not,” the researchers famous.
The authentication bypass can then be paired with a request to the “/iam/governance/applicationmanagement/api/v1/functions/groovyscriptstatus” endpoint to realize distant code execution by sending a specifically crafted HTTP POST. Although the endpoint is simply meant for checking the syntax of Groovy code and never executing it, Searchlight Cyber mentioned it was in a position to “write a Groovy annotation that executes at compile time, although the compiled code isn’t truly run.”
The addition of CVE-2025-61757 to the KEV catalog comes days after Johannes B. Ullrich, the dean of analysis on the SANS Know-how Institute, mentioned an evaluation of honeypot logs revealed a number of makes an attempt to entry the URL “/iam/governance/applicationmanagement/api/v1/functions/groovyscriptstatus;.wadl” by way of HTTP POST requests between August 30 and September 9, 2025.
“There are a number of completely different IP addresses scanning for it, however all of them use the identical person agent, which means that we could also be coping with a single attacker,” Ullrich mentioned. “Sadly, we didn’t seize the our bodies for these requests, however they have been all POST requests. The content-length header indicated a 556-byte payload.”
This means that the vulnerability might have been exploited as a zero-day vulnerability, properly earlier than a patch was shipped by Oracle. The IP addresses from which the makes an attempt originated are listed under –
- 89.238.132[.]76
- 185.245.82[.]81
- 138.199.29[.]153
In mild of lively exploitation, Federal Civilian Government Department (FCEB) companies are required to use the mandatory patches by December 12, 2025, to safe their networks.
