Cyber Resilience

CVE-2018-2628

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 19 April 2018

Published
19 April 2018
Modified
27 October 2025
KEV Added
08 September 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9442 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-2628 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Oracle Weblogic Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2018-2628 is a deserialization vulnerability in the WLS Core Components subcomponent of Oracle WebLogic Server within Oracle Fusion Middleware. It affects supported versions 10.3.6.0, 12.1.3.0, 12.2.1.2, and 12.2.1.3, and carries a CVSS 3.0 base score of 9.8 with full impacts to confidentiality, integrity, and availability.

An unauthenticated attacker with network access via the T3 protocol can exploit the flaw to achieve remote takeover of the Oracle WebLogic Server instance. The attack requires no user interaction and is rated as easily exploitable under the supplied CVSS vector.

The primary advisory reference is Oracle's April 2018 Critical Patch Update, which addresses the issue along with other Fusion Middleware vulnerabilities; additional references include SecurityFocus and SecurityTracker entries that point to the same Oracle remediation guidance.

Public exploit code for the issue is available on GitHub and Exploit-DB, indicating that proof-of-concept implementations have been shared since disclosure.

EU & UK References

Vulnerability details

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle…

more

WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE(s)
KEV Date Added
08 September 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
weblogic server
10.3.6.0.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks unauthenticated deserialization of attacker-supplied objects over T3 by validating all input before object reconstruction.

prevent

Enforces authentication and authorization checks on the T3 listener so that unauthenticated network requests cannot reach the vulnerable deserialization code path.

prevent

Requires prompt application of the April 2018 Critical Patch Update that removes the deserialization flaw from affected WebLogic versions.

References