Threat Signal Report

Oracle Identity Manager Pre-Auth RCE

What is the Vulnerability?	CVE-2025-61757 is a critical pre-authentication remote code execution vulnerability in Oracle Identity Manager’s REST WebServices. This vulnerability allows an unauthenticated attacker to exploit URI and matrix parameter parsing weaknesses to bypass authentication and execute arbitrary code over HTTP. Successful exploitation results in full compromise of Identity Manager servers- enabling attackers to steal credentials, escalate privilege across connected systems, move laterally within the infrastructure, and persist undetected. As Identity Manager is a core identity and access control system, the downstream impact is severe, including potential domain or cloud takeover. This vulnerability has been assigned a CVSS 9.8 (Critical) rating and is considered easily exploitable. The U.S. CISA has added the associated CVE to its Known Exploited Vulnerabilities (KEV) catalog, indicating active or imminent exploitation in the wild.
What is the recommended Mitigation?	Apply Oracle’s October 2025 Critical Patch Update for CVE-2025-61757 immediately. This patch directly addresses the authentication bypass and pre-auth RCE path for affected Oracle Identity Manager/Identity Governance REST WebServices: 12.2.1.4.0 14.1.2.1.0 Restrict network access to OIM/OIG management endpoints- block direct exposure to the internet and allow access only from trusted administrative networks. Monitor and control outbound connections from Identity Manager servers: Watch for unexpected callbacks, external network beacons, or suspicious DNS resolutions. Implement egress allowlists for management servers to prevent command-and-control style communications. If a compromise is suspected, rotate service accounts and identity-related credentials.
What FortiGuard Coverage is available?	FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2025-61757. Intrusion Prevention \| FortiGuard Labs FortiGuard Web Filtering Service protects against malicious URLs, domains, IPs, and other attacker-controlled infrastructure associated with this campaign. FortiAnalyzer, FortiSIEM, and FortiSOAR leverage known Indicators of Compromise (IoCs) delivered through the Indicators of Compromise (IoC) Service to enhance threat hunting, detection, and automated response, strengthening investigation workflows and correlation against related threat activity. FortiGuard Labs continues to monitor for newly emerging IoCs to ensure proactive protection. Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

Outbreak Alert

This report provides an overview of ongoing Iran-linked cyber operations, highlighting activity attributed to state-aligned proxies and hacktivist groups. The vulnerabilities listed are suspected to be exploited by actors associated with Iran in real-world campaigns, consistent with observed tactics, techniques, and procedures (TTPs). Iran-linked operations continue to rely on distributed, lower-complexity techniques, including phishing, DDoS, data exfiltration, and destructive attacks. Initial access is primarily achieved through exploitation of known, unpatched vulnerabilities and exposed edge infrastructure, reflecting a persistent and opportunistic threat posture targeting government, critical infrastructure, and enterprise environments.

View the full Outbreak Alert Report