The cybersecurity agency CISA has confirmed that a recently patched Oracle Identity Manager vulnerability has been exploited in the wild.
The vulnerability in question is tracked as CVE-2025-61757 and it was patched by Oracle in Identity Manager (a product in its Fusion Middleware platform) with the October 2025 patches. The flaw can be exploited by an unauthenticated attacker for remote code execution.
SecurityWeek reported on Friday that CVE-2025-61757 may have been exploited in the wild as a zero-day several weeks before Oracle released a patch.
Searchlight Cyber, whose researchers discovered the issue and reported it to Oracle, disclosed technical details and PoC code on Thursday, warning that it could easily be exploited, allowing attackers to escalate privileges and move laterally, potentially leading to sensitive data exposure.
Based on the technical information made public by Searchlight, the SANS Technology Institute checked its honeypot logs for signs of potential exploitation and found what looked like attack attempts coming from several IP addresses between August 30 and September 9.
The same IP addresses were also seen scanning the web for other product vulnerabilities, and they also conducted scans associated with bug bounties.
Despite this, Searchlight told SecurityWeek on Friday that the activity seen by SANS can be attributed to its researchers, as well as efforts to notify affected organizations.
However, on Saturday, CISA added CVE-2025-61757 to its Known Exploited Vulnerabilities (KEV) catalog, instructing federal agencies to address the flaw by December 12.
SecurityWeek is hoping to obtain additional clarifications from SANS and Searchlight regarding the potential exploitation. It’s possible that CISA learned of attacks from a different source.
The agency in the past pointed out that vulnerabilities are only added to the KEV catalog if there is reliable evidence of exploitation in the wild.
Contacted by SecurityWeek, Oracle did not provide any clarifications and instead pointed to its October 2025 security bulletin, which does not mention anything about CVE-2025-61757 being exploited in the wild.
Related: Recent 7-Zip Vulnerability Exploited in Attacks
Related: Fortinet Discloses Second Exploited FortiWeb Zero-Day in a Week
Related: Two-Year-Old Ray AI Framework Flaw Exploited in Ongoing Campaign
