Patch now! Malicious code attacks on Oracle Identity Manager observed
There are indications that attackers have been targeting Oracle Identity Manager since August of this year. A security update is available.
(Image: solarseven/Shutterstock.com)
Currently, unknown attackers are targeting systems with Oracle Identity Manager. Admins should act immediately and install the secured output.
Background
The US Cybersecurity & Infrastructure Security Agency (CISA) warns of the attacks and advises prompt installation of the security patch. The agency sees this as a real threat to government institutions. The vulnerability (CVE-2025-61757) is considered “critical,” and attackers use it to execute malicious code to compromise systems. The extent to which the attacks are occurring is currently unknown.
A security update was released by the software manufacturer in October of this year as part of its quarterly security updates. However, Oracle's list of the current Critical Patch Update only lists the affected Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0. The version identifier for the secured output can be viewed by Oracle customers in the support portal.
The Danger
According to the vulnerability description, the flaw is in the REST API of Identity Manager. Remote attackers can exploit this with crafted URLs containing parameters like ?WSDL or ;.wadl to bypass a security filter. Subsequently, they can push malicious code onto PCs. Executing such an attack is said to be relatively easy. In a report security researchers from Searchlight Cyber explain further details about the vulnerability.
Videos by heise
A security researcher from the SANS Technology Institute discovered such a URL at the end of August this year. From this, he concludes in a post, that attacks have been ongoing since then, i.e., before the patch was released.
(des)
