Hackers May Have Exploited Critical Oracle Identity Manager Zero-Day Before Patch Release

A newly disclosed security flaw in Oracle Identity Manager may have been actively exploited long before a fix became available, raising concerns about widespread exposure across enterprise environments.

The vulnerability, identified as CVE-2025-61757, was uncovered by researchers at Searchlight Cyber and publicly detailed on Thursday. The bug, now patched in Oracle’s October 2025 security update, is classified as a critical pre-authentication remote code execution (RCE) flaw.

Severe Authentication Bypass Leads to Full System Takeover

Searchlight Cyber described the issue as a high-impact exploit chain combining an authentication bypass weakness with arbitrary code execution. If leveraged successfully, attackers can seize full control of servers running Oracle Identity Manager — a system widely used to manage user identities and credentials.

According to the firm, the flaw could allow threat actors to manipulate authentication processes, escalate privileges, pivot across networks, and compromise servers storing sensitive data, including personally identifiable information (PII).

Oracle has confirmed the severity of the vulnerability, noting that it can be exploited without any user authentication, making unpatched systems especially attractive targets.

Evidence Suggests Attackers Exploited the Bug Before Patch Release

Researchers at the SANS Technology Institute reviewed past honeypot activity following the release of technical details and proof-of-concept (PoC) code by Searchlight. Johannes Ullrich of SANS reported observing multiple suspicious scanning attempts targeting the vulnerability between August 30 and September 9, several weeks ahead of Oracle’s official fix.

The scanning activity originated from multiple IP addresses but used the same user agent, suggesting a single coordinated actor. All requests were POST requests, though full payloads were not captured.

Ullrich added that the same IPs were previously linked to scans for other known vulnerabilities, including Liferay (CVE-2025-4581) and exploits associated with the infamous Log4j security breach. Some activity appeared similar to bug bounty reconnaissance, though malicious intent cannot be ruled out.

Awaiting Further Clarifications

SecurityWeek has requested comments from Oracle regarding potential exploitation in the wild. The publication also reached out to Searchlight Cyber to determine whether any observed traffic was part of its own investigation efforts. Responses are pending.

This development follows a growing trend of attackers weaponizing vulnerabilities well before vendors release patches, underscoring the need for rapid deployment of security updates and active monitoring of identity-related infrastructure.