CVE-2025-61757
CVE-2025-61757
In short
Oracle Identity Manager has a critical flaw in its REST web services that allows attackers to take over the system without needing a password or login credentials. An attacker on the network can exploit this to gain complete control over user identities and access.
Technical detail
An unauthenticated remote code execution vulnerability exists in Oracle Identity Manager's REST WebServices component (versions 12.2.1.4.0 and 14.1.2.1.0) requiring only network access via HTTP with no authentication or user interaction. Successful exploitation results in complete compromise of confidentiality, integrity, and availability of the Identity Manager system.
Summary generated and translated by AI from the official description.
Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Oracle Corporation · Identity Managerpublic PoCs found — 2
githubgithub.com/Jinxia62/Oracle-Identity-Manager-CVE-2025-61757★ 4githubgithub.com/ngominhquocngu/Blackash-CVE-2025-61757★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →