美国联邦机构必须在12月12日之前修复一个关键的Oracle身份管理器漏洞, U.S. federal agencies must patch a critical Oracle Identity Manager flaw by Dec. 12 after it was found actively exploited.

美国联邦安全局已命令美国联邦机构在12月12日之前修复Oracle身份管理器 (CVE-2025-61757) 中的一个关键的,被积极利用的漏洞,并将其添加到已知被利用的漏洞目录中. CISA has ordered U.S. federal agencies to patch a critical, actively exploited vulnerability in Oracle Identity Manager (CVE-2025-61757) by December 12, adding it to its Known Exploited Vulnerabilities catalog. 这个缺陷允许通过HTTP的单一请求进行未经验证的远程代码执行, 早在8月就被确认为受到攻击, The flaw, which allows unauthenticated remote code execution via a single HTTP request, was confirmed to be under active attack as early as August, with researchers calling the exploit "trivial." Oracle于10月21日发出消息, 但当时没有透露剥削的证据。 Oracle issued a fix on October 21, but did not disclose evidence of exploitation at the time. 这种脆弱性影响到甲骨文融合中软件的具体版本,并由于CVSS得分高达9.8,因此构成严重风险。 The vulnerability affects specific versions of Oracle Fusion Middleware and poses a severe risk due to its high CVSS score of 9.8. CISA敦促各机构采用10月21日的补丁,或将受影响的系统与公共网络隔离。 CISA urges agencies to apply the October 21 patch or isolate affected systems from public networks.