CISA has added a critical vulnerability (CVE-2025-61757, CVSS 9.8) in Oracle Identity Manager to its Known Exploited Vulnerabilities (KEV) catalog. The flaw allows unauthenticated remote attackers to bypass authentication and take full control of the identity management system.
Business Impact
This is a maximum-severity risk. Oracle Identity Manager often holds the “keys to the kingdom,” managing user access across the entire enterprise. Compromise allows attackers to create privileged accounts, reset passwords, and move laterally into any connected system.
Why It Happened
The vulnerability involves a missing authentication check for a critical function within the Oracle Fusion Middleware component. Attackers are actively exploiting this to hijack identity infrastructure without needing credentials.
Recommended Executive Action
This is an emergency. Direct IT to apply the Oracle patches immediately (deadline for federal agencies is Dec 12). If patching is not instant, restrict network access to the Identity Manager console to a secure, isolated management VLAN.
Hashtags: #Oracle #IdentityManagement #CISA #KEV #Vulnerability #RCE #IAM #CyberSecurity #InfoSec