Published On: Nov 24, 2025 15:00
Advisory No: TZCERT-SA-25-0117
Source: ORACLE
Software Affected: Oracle Identity Manager 12.2.1.4.0 and Oracle Identity Manager 14.1.2.1.0
A critical Remote Code Execution (RCE) vulnerability has been identified in Oracle Identity Manager (OIM). The flaw allows unauthenticated remote attackers to execute arbitrary code via HTTP, leading to complete system compromise. This vulnerability is actively exploited and listed in the CISA Know Exploited Vulnerabilities (KEV) Catalogue.
The vulnerability, CVE-2025-64446, arises from a relative path traversal flaw combined with authentication bypass logic in FortiWeb’s API/GUI management interface.
An attacker sends a crafted HTTP/HTTPS POST request to a vulnerable endpoint (for example: /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi) which bypasses intended authentication controls and reaches a legacy CGI handler.
Through this access, the attacker can create administrative accounts, modify configuration, execute arbitrary commands on the device and pivot into the network.
Successful exploitation of this vulnerability can result in:
• Full takeover of the Oracle Identity Manager environment
• Manipulation of identity and access workflows
• Unauthorized privilege escalation
• Lateral movement to other integrated enterprise systems • Leakage of sensitive identity information
Severity:
• CVSS Score: 9.8 (Critical)
• Attack Vector: Network
• Privileges Required: None
• User Interaction: None
• Status: Actively Exploited
Oracle has released a security patch for this vulnerability. Users and administrators are encouraged to apply necessary updates.
Indicators of Compromise (IoCs):
• Requests to OIM endpoints ending in .wadl
• Anonymous access attempts to OIM REST Web Services
• Known malicious IPs interacting with OIM servers:
• Abnormal Groovy execution entries in logs
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
