Exploited Vulnerability in Oracle Fusion Identity Manager

A critical vulnerability could allow an unauthenticated attacker to takeover Oracle Identity Manager

Threat ID:: CC-4721
Threat Severity:: Medium
Published:: 24 November 2025 2:43 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

A critical vulnerability could allow an unauthenticated attacker to takeover Oracle Identity Manager

Affected platforms

The following platforms are known to be affected:

Oracle Identity Management

Versions:

12.2.1.4.0
14.1.2.1.0

Threat details

Exploitation of CVE-2025-61757

The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-61757 to their Known Exploited Vulnerabilities (KEV) Catalog. NHS England National CSOC assesses future exploitation as likely.

Introduction

Oracle has released a security update to address a vulnerability in the Identity Manager product of Oracle Fusion Middleware.

CVE-2025-61757 - "Missing Authentication for Critical Function" vulnerability - CVSSv3 score: 9.8

Remediation advice

Affected organisations are strongly advised to review Oracle's Quarterly Rollup Security Advisory (AV25-688) and apply the relevant updates as soon as possible.

CVE Vulnerabilities

Status Published

CVE-2025-61757

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Last edited: 24 November 2025 2:46 pm