Warning: Authentication vulnerability in Oracle Identity Manager, Patch Immediately!

    * Last update:  21/11/2025
   
    * Affected products:
  → Oracle (Fusion Middleware) Identity Manager 12.2.1.4.0 and 14.1.2.1.0
  → REST webservices component

    * Type: CWE-306: Missing Authentication for Critical Function

    * CVE/CVSS:

• CVE-2025-61757: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Oracle - https://www.oracle.com/security-alerts/cpuoct2025.html

Risks

This authentication vulnerability can lead to an account takeover. Unauthenticated attackers can exploit this vulnerability when having network access to the identity manager platform. This compromise can lead to a privilege escalation and further information disclosure as this platform manages user access rights. Attackers exploiting this platform can gain access to other resources.

This vulnerability has an high impact on the platforms confidentiality, integrity and availability.

Description

An attacker can escalate their privileges and gain access to other connected resources. The vulnerability exists in the REST webservices component of the Oracle identity manager platform where an unauthenticated attacker with HTTP network access can compromise it. This can lead to other interconnected devices being compromised.

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

NIST - https://nvd.nist.gov/vuln/detail/CVE-2025-61757