Tag: CVE-2025-61757

It turns out this issue was discovered by researchers at Searchlight Cyber while they were analyzing the attack surface of Oracle Cloud Login. They found that the same software stack behind that earlier massive breach contained this serious flaw.

How It Happened

The root cause lies in a misconfigured authentication filter inside the web.xml of the application’s SecurityFilter mechanism. The developers meant to allow certain unauthenticated access (to WADL files via a regular-expression whitelist), but they overlooked how Java treats request URIs with matrix parameters. Attackers can append something like ;.wadl to the URI, fooling the server into treating the request as a harmless WADL retrieval while in fact it’s processed as a privileged API call. That bypass allows access to restricted REST endpoints without credentials.

Once authentication is bypassed, an attacker can access endpoints like groovyscriptstatus, which were intended only for syntax checking of Groovy scripts. Because the endpoint performs compilations, the attacker can inject a script that uses the @ASTTest annotation to trigger arbitrary code execution during compile time — effectively granting them a full remote shell.

This is particularly dangerous: an attacker needs no valid credentials, just the vulnerable application exposed, and then they can remotely execute code. That makes this extremely appealing for ransomware groups or state-sponsored actors.

If you’re running Oracle Identity Governance Suite 12c (version 12.2.1.4.0) or similar, you need to isolate your affected systems from the internet to avoid full system compromise, or update/patch.