Redazione RHC : 22 November 2025 12:31
A vulnerability, designated CVE-2025-61757, was made public by Searchlight Cyber last Thursday. Company researchers discovered the issue and notified Oracle, which led to its disclosure.
Oracle fixed CVE-2025-61757 with the October 2025 patches and confirmed that it is a critical issue that can be easily exploited without authentication.
The security firm described it as a critical pre-authentication remote code execution vulnerability in Oracle Identity Manager . The exploit, which combines an authentication bypass vulnerability with arbitrary code execution , could allow an attacker to completely compromise the system.
Searchlight Cyber warned on Thursday that the vulnerability could “allow attackers to manipulate authentication flows, escalate privileges, and move laterally into an organization’s core systems,” noting that it could “lead to the breach of servers that handle personally identifiable information (PII) and user credentials.”
“There are several IPs actively scanning the bug, but they’re all using the same user agent, which suggests we may be dealing with a single attacker,” Ullrich explained. “Unfortunately, we didn’t capture the request bodies for these requests, but they were all POST requests,” he added.
The SANS Technology Institute used the technical information and PoC code made public by Searchlight on Thursday to check its honeypot logs for signs of potential exploitation .
According to Johannes Ullrich of SANS, possible exploitation cases were observed multiple times between August 30 and September 9, weeks before Oracle released a patch.
The expert said that the same IP addresses had previously been seen scanning the web for a Liferay product vulnerability (CVE-2025-4581) and conducting scans that appear to be associated with bug bounties.
Redazione