CISA adds vulnerability CVE-2025-61757 to known exploited vulnerabilities catalog

CISA has expanded its Known Exploited Vulnerabilities (KEV) Catalog to include a vulnerability affecting Oracle Fusion Middleware that lacks proper authentication controls, enabling unauthorized access to critical functions.

The vulnerability, identified as CVE-2025-61757, impacts Oracle Fusion Middleware components and occurs due to missing authentication mechanisms. This flaw allows exploitation through unauthenticated requests to sensitive functions. The advisory distinguishes this specific vulnerability within the catalog of actively exploited CVEs.

Exploitation of this vulnerability may permit malicious actors to execute critical operations without authorization, presenting threats to affected systems.

Mitigation efforts align with requirements of Binding Operational Directive (BOD) 22-01, mandating federal agencies to address vulnerabilities listed in the KEV Catalog by their deadlines. The advisory notes the availability of remediation resources to support this process.

CISA recommends that all organizations, beyond federal agencies, prioritize addressing vulnerabilities cataloged within the KEV to reduce exposure to active threats. The agency will continue updating the catalog based on established criteria reflecting known exploitation activity.