CISA has issued an emergency directive ordering federal agencies to patch a critical vulnerability (CVE-2025-61757, CVSS 9.8) in Oracle Identity Manager by December 12. The flaw allows unauthenticated remote attackers to bypass authentication via a simple HTTP request and gain full administrative control over the identity system.
Business Impact
This is a “keys to the kingdom” vulnerability. Compromising the central Identity Manager allows attackers to create privileged accounts, reset passwords for any user, and pivot laterally into any connected system, effectively bypassing all other access controls.
Why It Happened
The vulnerability stems from a missing authentication check in a critical REST API function within Oracle Fusion Middleware. Attackers are actively exploiting this “trivial” flaw to hijack identity infrastructure without needing credentials.
Recommended Executive Action
Treat this as an immediate emergency. Direct IT to apply the Oracle patches immediately. If patching is not instant, restrict network access to the Identity Manager console to a secure, isolated management VLAN and audit logs for suspicious API calls.
Hashtags: #Oracle #IdentityManagement #CISA #KEV #Vulnerability #RCE #IAM #CyberSecurity #InfoSec