Researchers discovered that appending question strings like “?WSDL” or path parameters like “;.wadl” to protected endpoints ( like “/iam/governance/applicationmanagement/templates;.wadl”), would trigger “SecurityFilter” in OIM’s net.xml to deal with the route as “unauthenticated”—that means that it requires no authentication.
As soon as previous the filter, an attacker can attain the REST endpoint “/software/groovyscriptstatus” meant for syntax-checking Groovy code, not executing it. Nevertheless, attributable to Groovy’s annotation processing, researchers demonstrated the power to inject compile-time code that triggers outbound callbacks and code execution.
The flaw, tracked beneath CVE-2025-61757, acquired a essential severity ranking of 9.8 out of 10, as a result of ease of exploitability and presumably the existence of a zero-day abuse. “Given the complexity of some earlier Oracle Entry Supervisor vulnerabilities, this one is considerably trivial and simply exploitable by menace actors,” researchers famous.
