A quiet configuration mistake in a product designed to protect logins opened the door to remote code execution, and by the time the alarms sounded, attackers were already inside high-value identity tiers. The Cybersecurity and Infrastructure Security Agency urged immediate action after confirming active exploitation of a critical flaw in Oracle Identity Manager, a component widely deployed in enterprise and government environments.
The urgency did not arise in a vacuum. Earlier this year, Oracle Cloud’s own login service suffered a major breach that exposed more than six million records, underscoring how identity infrastructure concentrates risk. When a core identity layer fails, the blast radius crosses business units, tenants, and even agencies.
Why It Matters Now
Identity platforms sit at the center of access decisions, token issuance, and provisioning across HR, ERP, and directory services. Compromising that layer grants adversaries a shortcut toward domain-wide control, making ransomware deployment faster and data exfiltration quieter. That is why this vulnerability, tracked as CVE-2025-61757 and scored 9.8 on the CVSS scale, drew immediate attention.
Moreover, the affected Oracle Identity Governance (OIG) stack often runs in multi-tenant and public-sector settings, where shared infrastructure and complex integration chains multiply impact. A single pre-authentication bug in one tenant’s stack can become a pivot point into adjacent systems, particularly where segmentation and mutual TLS are weak or inconsistently enforced.
Inside The Exploit Path
Researchers at Searchlight Cyber surfaced the issue while mapping Oracle Cloud’s login host. Their analysis pointed to OIG’s SecurityFilter, defined in web.xml, which relied on a regex whitelist intended to allow unauthenticated access to WADL resources. However, the servlet’s URI handling diverged from the filter’s assumptions, creating a gap that attackers could slip through.
The crux was the matrix parameter trick: appending ;.wadl to targeted requests made the filter treat traffic as a harmless WADL retrieval, while the Java servlet interpreted the same URI as a valid, privileged API call. That mismatch unlocked restricted REST endpoints such as /iam/governance/applicationmanagement without any credentials.
Once inside, the path to code execution was surprisingly direct. An ostensibly safe diagnostic endpoint, groovyscriptstatus, compiled user-supplied Groovy for syntax checks. By embedding the @ASTTest annotation, adversaries could trigger arbitrary code during compilation, effectively turning a checker into a remote shell. The result was reliable, repeatable RCE with no login required—an ideal foothold for lateral movement.
Signals From The Field
CISA’s message to defenders was blunt: treat active exploitation as an ongoing risk, not a theoretical bug. That framing aligned with incident responders who observed threat actors chaining pre-auth access to identity APIs with post-exploitation tools to tamper with accounts, tokens, and service principals in minutes rather than days.
Searchlight Cyber’s findings also highlighted a broader engineering lesson: misalignment between servlet interpretation and authentication filters is not an exotic edge case. URI parsing, regex whitelists, and framework defaults often intersect in unpredictable ways, particularly under load balancers or WAFs that normalize paths differently. Past Oracle identity issues, such as CVE-2021-35587 in Oracle Access Manager, showed the same pattern—pre-auth exposure at the very boundary meant to enforce trust.
For organizations now triaging, telemetry offers critical clues. Unusual requests with matrix parameters like ;.wadl, spikes in calls to /iam/governance/*, and ephemeral Groovy compilation artifacts are telltale signs. In several investigations, those traces coincided with new service account tokens and silent changes to provisioning rules—breadcrumbs of a campaign moving quickly toward core directories.
What Comes Next
Defenders had a clear set of moves. Teams isolated OIG from the public internet, locked down management and REST endpoints with ACLs and targeted WAF rules, and applied Oracle’s fixes for 12c (12.2.1.4.0). They then verified that SecurityFilter behavior could not be bypassed and disabled diagnostic endpoints like groovyscriptstatus unless strictly needed.
The durable lesson was larger than a single CVE. Identity services demanded zero trust guardrails—mTLS at the edge, strict segmentation, and high-fidelity detections for pre-auth access to admin APIs. Programs that regularly tested URI parsing edge cases and filter configurations, and that enforced emergency patch SLAs for identity tiers, bounced back faster. In the end, the breach window closed not just with a patch, but with a mindset shift: every identity boundary was a potential entry point, and the fastest route to resilience began at the core of trust.
