Cyber Resilience

CVE-2025-61757

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 21 October 2025

Published
21 October 2025
Modified
24 November 2025
KEV Added
21 November 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8783 99.5th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61757 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Identity Manager. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-61757 is a vulnerability in the Identity Manager product of Oracle Fusion Middleware, specifically affecting the REST WebServices component. Supported versions impacted include 12.2.1.4.0 and 14.1.2.1.0. It carries a CVSS 3.1 Base Score of 9.8 with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high confidentiality, integrity, and availability impacts, and is associated with CWE-306 (Missing Authentication for Critical Function).

The vulnerability is easily exploitable by an unauthenticated attacker with network access via HTTP. Successful exploitation allows the attacker to fully compromise Identity Manager, resulting in takeover of the product.

Oracle's Critical Patch Update for October 2025 provides details on patches and mitigation, as outlined in their security alert at https://www.oracle.com/security-alerts/cpuoct2025.html. Additional analysis appears in the ISC SANS diary at https://isc.sans.edu/diary/rss/32506. The vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61757, indicating real-world exploitation.

EU & UK References

Vulnerability details

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of…

more

this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE(s)
KEV Date Added
21 November 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication in REST WebServices allows unauthenticated remote exploitation of a public-facing application, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21992Same product: Oracle Identity Manager
CVE-2025-21515Same vendor: Oracle
CVE-2025-21524Same vendor: Oracle
CVE-2025-61882Same vendor: Oracleboth on KEV
CVE-2025-53072Same vendor: Oracle
CVE-2025-61884Same vendor: Oracleboth on KEV
CVE-2025-53037Same vendor: Oracle
CVE-2026-34279Same vendor: Oracle
CVE-2025-21535Same vendor: Oracle
CVE-2026-34285Same vendor: Oracle

Affected Assets

oracle
identity manager
12.2.1.4.0, 14.1.2.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates this specific vulnerability by requiring timely identification, reporting, and patching of the flaw in Oracle Identity Manager REST WebServices as detailed in the Critical Patch Update.

prevent

Addresses CWE-306 missing authentication by explicitly identifying, authorizing, and monitoring only approved actions without identification and authentication in the vulnerable REST WebServices.

prevent

Enforces approved access control policies to block unauthenticated network access to the Identity Manager component, reducing exploitation risk.

References