By The Hacker News
Publication Date: 2025-11-22 06:45:00
The US Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security vulnerability affecting the known exploited vulnerabilities in Oracle Identity Manager (KEV) catalog citing evidence of active exploitation.
The vulnerability in question is CVE-2025-61757 (CVSS score: 9.8), a case of lack of authentication for a critical function that could lead to pre-authenticated remote code execution. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0. It was addressed from Oracle as part of its quarterly updates released last month.
“Oracle Fusion Middleware contains a missing authentication for a critical functional vulnerability that allows unauthenticated remote attackers to take over Identity Manager,” CISA said.
Searchlight cyber researchers Adam Kues and Shubham Shah, who discovered The flaw says it can allow an attacker to access API endpoints, which in turn can allow them to “…manipulate…”
