The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a brand new Oracle vulnerability to its Recognized Exploited Vulnerabilities (KEV) catalog, warning that attackers are already exploiting it in real-world assaults.
The bug, tracked as CVE-2025-61757, impacts Oracle Id Supervisor, a part of Oracle Fusion Middleware.
The flaw is rated as a “lacking authentication for important perform” problem, which means a distant attacker can entry highly effective capabilities within the product with out first logging in.
In observe, this opens the door to full distant code execution and full takeover of the id platform.
| Subject | Worth |
|---|---|
| CVE ID | CVE-2025-61757 |
| Vulnerability Kind | Lacking Authentication for Crucial Perform |
| Affected Product | Oracle Fusion Middleware / Oracle Id Supervisor |
| Affected Variations | 12c 12.2.1.4.0 and sure others |
Pre-auth RCE in broadly used id software program
Many enterprises and authorities companies use Oracle Id Supervisor (often known as Oracle Id Governance) to handle consumer accounts, credentials, and entry rights.
As a result of it sits on the heart of id and entry administration, a compromise of this method can shortly result in domain-wide or cloud-wide compromise.
Safety researchers from Searchlight Cyber’s Assetnote group found that sure Oracle Id Supervisor REST APIs could possibly be accessed with out correct authentication checks.
By abusing how the product handles URL patterns and filters, an attacker can trick the system into treating protected endpoints as in the event that they had been public.
As soon as previous authentication, the attacker can attain performance that processes Groovy scripts. Though the function is meant solely for syntax checking, the researchers confirmed that it may be abused to run code throughout compilation.
This turns a easy logic flaw into a robust pre-authentication distant code execution (RCE) vulnerability.
The analysis follows an earlier main breach of Oracle Cloud’s login service in January, by which attackers reportedly exploited an older Oracle Entry Supervisor flaw (CVE-2021-35587) to realize RCE and steal hundreds of thousands of data.
The brand new bug, CVE-2025-61757, impacts associated id parts and will have been used equally towards Oracle’s personal infrastructure if left unpatched.
CISA notes that the vulnerability is especially regarding as a result of it may be exploited over the community by an unauthenticated attacker.
On condition that many Oracle Id Supervisor cases are uncovered to the web for consumer entry, the assault floor is important. CVE-2025-61757 was added to CISA’s KEV catalog on November 21, 2025.
Federal civilian companies are ordered to use Oracle’s fixes, observe Binding Operational Directive (BOD) 22-01 steering for cloud companies, or discontinue use of the product by December 12, 2025.
Organizations working Oracle Fusion Middleware and Oracle Id Supervisor ought to urgently deploy the most recent Oracle Crucial Patch Replace, evaluation exterior publicity of id companies, and monitor for suspicious entry to administrative APIs and scripting options.
Comply with us on Google Information, LinkedIn, and X to Get Instantaneous Updates and set GBH as a Most popular Supply in Google.
