Article Details

CISA orders feds to patch Oracle Identity Manager zero-day after signs of abuse. Agencies have until December 12 to mitigate flaw that was likely exploited before Big Red released fix. CISA has ordered US federal agencies to patch against an actively exploited Oracle Identity Manager (OIM) flaw within three weeks – a scramble made more urgent by evidence that attackers may have been abusing the bug months before a fix was released. The flaw, tracked as CVE-2025-61757 and now sitting in CISA's Known Exploited Vulnerabilities catalog, is "easily exploitable" and allows an unauthenticated attacker with network access to compromise OIM, enabling a full takeover of the system. "Oracle Fusion Middleware contains a missing authentication for a critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager," CISA warned. Agencies have been told to patch the vulnerability by December 12 or face the usual federal compliance consequences. Searchlight Cyber researchers Adam Kues and Shubham Shah, who discovered the flaw, have published their own technical teardown of the vulnerability that doesn't mince words about the ease with which criminals can weaponize it. The researchers call exploitation "trivial," describing a single HTTP request that bypasses OIM's normal authentication flow and ultimately gives an attacker remote system-level control. Oracle disclosed the bug in October, but didn't indicate that it was under active exploitation. However, analysis from SANS ISC dean Johannes Ullrich suggests attackers may have known about the flaw long before Oracle did. In traffic logs Ullrich reviewed, the telltale OIM exploit URL appeared repeatedly between August 30 and September 9 – weeks before Oracle released a patch on October 21.  "This URL was accessed several times between August 30 and September 9 this year, well before Oracle patched the issue," Ullrich wrote. "There are several different IP addresses scanning for it, but they all use the same user agent, which suggests that we may be dealing with a single attacker." While the logs don't confirm successful compromise, they show unmistakable pre-patch reconnaissance for the vulnerability, making a credible case that CVE-2025-61757 was used as zero-day by at least one threat actor. CISA's alert doesn't provide detail on how the flaw is being exploited in the wild, but the timing lands awkwardly for Oracle. The company is reeling from Clop's raid on Oracle E-Business Suite environments earlier this year, compromising dozens of organizations, including insurance giant Allianz UK and Bezos-owned newspaper The Washington Post. That incident underscored the stakes when enterprise Oracle platforms fall behind on updates –  and raised fresh questions about lagging customer patch cycles and the opaque nature of Oracle's vulnerability disclosures. Oracle did not respond to The Register's request for comment on whether it had confirmed in-the-wild exploitation prior to CISA's advisory, or had received any customer reports of incidents linked to CVE-2025-61757. The vendor's October advisory rated the issue critical but made no mention of zero-day activity or exploitation telemetry. Fixing the flaw requires applying Oracle's October 21 Critical Patch Update, which shipped with dozens of other fixes. For federal agencies now staring at a December 12 deadline, along with the combination of confirmed exploitation, credible zero-day evidence, and Oracle's characteristically sparse patch notes, it's looking like another frantic month for already stretched security teams.