[UPDATED] A recently patched Oracle Identity Manager vulnerability may have been exploited as a zero-day.
The vulnerability, tracked as CVE-2025-61757, was disclosed on Thursday by Searchlight Cyber, whose researchers discovered the issue and reported it to Oracle.
The security firm described it as a critical pre-authentication remote code execution vulnerability in Oracle Identity Manager. The exploit, which chains an authentication bypass weakness and arbitrary code execution, can allow an attacker to achieve full system compromise.
Oracle fixed CVE-2025-61757 with its October 2025 patches and confirmed that it’s a critical issue that can be easily exploited without authentication.
Searchlight Cyber warned on Thursday that the vulnerability can “allow attackers to manipulate authentication flows, escalate privileges, and move laterally across an organisation’s core systems”, noting that it can “lead to the breach of servers handling user PII and credentials”.
The SANS Technology Institute used the technical information and PoC code made public by Searchlight on Thursday to check its honeypot logs for signs of potential exploitation.
According to SANS’s Johannes Ullrich, possible exploitation was seen several times between August 30 and September 9, weeks before Oracle released a patch.
“There are several different IP addresses scanning for it, but they all use the same user agent, which suggests that we may be dealing with a single attacker,” Ullrich explained.
“Sadly, we did not capture the bodies for these requests, but they were all POST requests,” he added.
The expert said the same IP addresses were previously seen scanning the web for a Liferay product vulnerability (CVE-2025-4581) and conducting scans that appear to be associated with bug bounties. The IPs also scanned for URLs associated with the exploitation of the Log4j vulnerability.
SecurityWeek has reached out to Oracle for comment and will update this article if the company responds. Searchlight has also been asked whether the activity seen by SANS may have been conducted by its own researchers while analyzing the vulnerability.
UPDATE: Oracle responded to SecurityWeek’s inquiry with a link to its October 2025 CPU advisory, without any additional clarifications. The advisory does not mention anything about CVE-2025-61757 being exploited in the wild.
Searchlight, on the other hand, provided valuable insights. Shubham Shah, SVP of security research, confirmed that “The activity from the SANS ISC reporting can be attributed back to Searchlight Cyber researchers, as a part of our research activities into this vulnerability, as well as work to notify affected organizations of this vulnerability.”
UPDATE 2: CISA has added the vulnerability to its KEV catalog, confirming exploitation.
Related: Fortinet Discloses Second Exploited FortiWeb Zero-Day in a Week
Related: Recent 7-Zip Vulnerability Exploited in Attacks
Related: Two-Year-Old Ray AI Framework Flaw Exploited in Ongoing Campaign
