CVE-2025-61757
Published: 21 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-61757 is a vulnerability in the Identity Manager product of Oracle Fusion Middleware, specifically affecting the REST WebServices component. Supported versions impacted include 12.2.1.4.0 and 14.1.2.1.0. It carries a CVSS 3.1 Base Score of 9.8 with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high confidentiality, integrity, and availability impacts, and is associated with CWE-306 (Missing Authentication for Critical Function).
The vulnerability is easily exploitable by an unauthenticated attacker with network access via HTTP. Successful exploitation allows the attacker to fully compromise Identity Manager, resulting in takeover of the product.
Oracle's Critical Patch Update for October 2025 provides details on patches and mitigation, as outlined in their security alert at https://www.oracle.com/security-alerts/cpuoct2025.html. Additional analysis appears in the ISC SANS diary at https://isc.sans.edu/diary/rss/32506. The vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61757, indicating real-world exploitation.
Details
- CWE(s)
- KEV Date Added
- 21 November 2025
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authentication in REST WebServices allows unauthenticated remote exploitation of a public-facing application, directly mapping to T1190: Exploit Public-Facing Application.