CVE-2025-61757: 
Oracle Identity Manager vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-61757) was discovered in Oracle Identity Manager's REST WebServices component, affecting versions 12.2.1.4.0 and 14.1.2.1.0. The vulnerability was disclosed on October 21, 2025, and allows unauthenticated attackers with network access via HTTP to potentially compromise the Identity Manager (Oracle Advisory).

The vulnerability has been assigned a CVSS 3.1 Base Score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates the vulnerability is easily exploitable, requires no privileges or user interaction, and can impact all aspects of security - confidentiality, integrity, and availability. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) (NVD).

Successful exploitation of this vulnerability can result in complete takeover of the Identity Manager system. The critical CVSS score of 9.8 indicates that an attacker can gain full access to the system, potentially compromising sensitive identity management data and functionality (Oracle Advisory).

Oracle has released security patches as part of the October 2025 Critical Patch Update. Organizations running affected versions (12.2.1.4.0 and 14.1.2.1.0) should apply these patches immediately. Oracle strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay to address this vulnerability (Oracle Advisory).

The vulnerability was initially discovered and reported by Shubham Shah of Assetnote, demonstrating active security research in Oracle's identity management products (Oracle Advisory).