Critical Flaw in Oracle Fusion Middleware Exploited in Breach

A recently exploited remote code execution vulnerability in Oracle Identity Manager, CVE-2025-61757, has become a major concern for organizations running Oracle Fusion Middleware.

The flaw, rated 9.8 and patched in October, is now confirmed as actively abused. That prompted federal agencies to impose firm remediation deadlines, writes Rob Wright in DarkReading.

A breach affecting Oracle Cloud earlier this year, tied to CVE-2021-35587, led AssetNote researchers to reevaluate the security of related Oracle components. Their review focused on software supporting the cloud login service, which had been compromised due to an outdated version of Access Manager.

That event guided their examination of Oracle Identity Manager, where they discovered new pre-authentication vectors involving exposed REST management APIs.

Searchlight Cyber’s analysis describes how researchers evaded authentication controls in Oracle Identity Manager by altering request routes and GET parameters, including adding semicolons to URLs.

They report that Java security filters improperly handled URI parsing and matrix parameters, which enabled remote code execution without credentials. After publication, CISA added the flaw to its Known Exploited Vulnerabilities catalog and directed federal agencies to patch it by mid-December.

Attorneys for companies that rely on Oracle middleware may consider advising review of patch-management practices to ensure timely deployment, particularly where federal mandates apply. They may also assess whether vendor agreements address patch delivery obligations, evaluate incident-response readiness for systems that depend on Java-based authentication controls, and determine whether recent Oracle-related security events require updated organizational risk assessments.

Closer monitoring of future advisories involving Oracle middleware products may also be advisable, given recurring issues documented in recent disclosures that affect multiple components and related services.