CVE-2019-2725
Published: 26 April 2019
Summary
CVE-2019-2725 is a critical-severity Injection (CWE-74) vulnerability in Oracle Vm Virtualbox. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-2725 is a vulnerability in the Web Services subcomponent of Oracle WebLogic Server within Oracle Fusion Middleware. It affects supported versions 10.3.6.0.0 and 12.1.3.0.0. The flaw is remotely exploitable over HTTP and carries a CVSS 3.0 base score of 9.8, reflecting high impacts to confidentiality, integrity, and availability; it is also associated with CWE-74.
An unauthenticated attacker with network access can exploit the issue to fully compromise and take over an affected Oracle WebLogic Server instance. Successful exploitation requires no user interaction or credentials and can be carried out directly via crafted HTTP requests.
Oracle has published security advisories, including an alert specific to CVE-2019-2725 and the July 2019 Critical Patch Update, that address the vulnerability. Additional vendor guidance, such as the F5 knowledge article, discusses related mitigation considerations for affected environments.
Public exploit code demonstrating remote code execution against the server has been made available, confirming practical attack feasibility shortly after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-12364
Vulnerability details
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful…
more
attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- CWE(s)
- KEV Date Added
- 10 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the Oracle July 2019 Critical Patch Update that eliminates the unauthenticated remote code execution flaw in WebLogic Web Services.
Enforces validation of HTTP input to Web Services, blocking the crafted requests that exploit CWE-74 injection to achieve server takeover.
Boundary-protection mechanisms (e.g., WAF rules or network ACLs) can restrict or inspect the unauthenticated HTTP traffic used to reach the vulnerable WebLogic endpoint.