CVE-2025-61757
Description
Critical 9.8 CVSS vulnerability in Oracle Identity Manager allows unauthenticated remote takeover. Act now to patch affected versions 12.2.1.4.0 and 14.1.2.1.0.
CPE
| Product | Version Start | Version End (excl.) | Status |
|---|---|---|---|
| identity_manager | 12.2.1.4.0 | 12.2.1.4.0 | vulnerable |
| identity_manager | 14.1.2.1.0 | 14.1.2.1.0 | vulnerable |
Related weakness (CWE)
Remediation plan
Apply official patches
Download and apply the security updates provided in the Oracle Critical Patch Update (CPU) for October 2025 or later to address the vulnerability in the REST WebServices component.
Update affected systems
Verify if you are running Oracle Identity Manager versions 12.2.1.4.0 or 14.1.2.1.0 and upgrade to the latest patched minor version or apply the specific security overlay recommended by Oracle.
Restrict access
Use firewalls or access control lists (ACLs) to restrict network access to the Identity Manager REST endpoints, ensuring they are not exposed to the public internet and are only accessible from trusted management segments.
Monitor for exploitation
Audit HTTP logs for unauthorized access to REST API paths and monitor for anomalous administrative activities, such as the creation of new privileged accounts or unexpected changes to identity policies.
Detection Guidance
Monitor web server and application logs for suspicious HTTP POST or GET requests targeting Identity Manager REST endpoints, specifically looking for requests that lack valid authentication tokens. Implement NIDS signatures to detect exploitation attempts related to CWE-306. Additionally, track any unusual outbound network connections from the Fusion Middleware host and monitor for unauthorized changes to the underlying identity store or LDAP directory, which could indicate a successful system takeover.