Searchlight Cyber today released a blog detailing CVE-2025-61757, a vulnerability they reported to Oracle. Oracle released a patch for the vulnerability as part of its October Critical Patch Update, which was released on October 21st.

Based on Searchlight Cyber's blog, the issue is pretty trivial to exploit: All URLs that end in ".wadl" are exempt from authentication. Adding just ".wadl" to a URL would not work, as this would point to a different, non-existent file. Searchlight Cyber's blog shows that adding ";.wadl" is the solution to access arbitrary URLs. They offer the following PoC:

/iam/governance/applicationmanagement/templates;.wadl

and show how it can lead to remote code execution.

Seeing this PoC, I went over our logs to look for possible uses of this pattern and found one:

/iam/governance/applicationmanagement/api/v1/applications/groovyscriptstatus;.wadl

This URL was accessed several times between August 30th and September 9th this year, well before Oracle patched the issue. There are several different IP addresses scanning for it, but they all use the same user agent, which suggests that we may be dealing with a single attacker.

Attacker IP Addresses:

89.238.132.76
185.245.82.81
138.199.29.153

The User Agent: 

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

Sadly, we did not capture the bodies for these requests, but they were all POST requests. The content-length header indicated a 556-byte payload.

The participating IP addresses also scanned for these notable URLs/Vulnerabilities:

/o/portal-settings-authentication-opensso-web/com.liferay.portal.settings.web/test_opensso.jsp (CVE-2025-4581)

as well as some scans that appear to be bug bounties and URLs that attempt to exploit Log4j.

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|