Cyber Resilience

CVE-2019-2725

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 26 April 2019

Published
26 April 2019
Modified
27 October 2025
KEV Added
10 January 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9447 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-2725 is a critical-severity Injection (CWE-74) vulnerability in Oracle Vm Virtualbox. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-2725 is a vulnerability in the Web Services subcomponent of Oracle WebLogic Server within Oracle Fusion Middleware. It affects supported versions 10.3.6.0.0 and 12.1.3.0.0. The flaw is remotely exploitable over HTTP and carries a CVSS 3.0 base score of 9.8, reflecting high impacts to confidentiality, integrity, and availability; it is also associated with CWE-74.

An unauthenticated attacker with network access can exploit the issue to fully compromise and take over an affected Oracle WebLogic Server instance. Successful exploitation requires no user interaction or credentials and can be carried out directly via crafted HTTP requests.

Oracle has published security advisories, including an alert specific to CVE-2019-2725 and the July 2019 Critical Patch Update, that address the vulnerability. Additional vendor guidance, such as the F5 knowledge article, discusses related mitigation considerations for affected environments.

Public exploit code demonstrating remote code execution against the server has been made available, confirming practical attack feasibility shortly after disclosure.

EU & UK References

Vulnerability details

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful…

more

attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE(s)
KEV Date Added
10 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
agile plm
9.3.3, 9.3.4, 9.3.5
oracle
communications converged application server
5.1, 7.0, 7.1
oracle
peoplesoft enterprise peopletools
8.56, 8.57, 8.58
oracle
storagetek tape analytics sw tool
2.3
oracle
tape library acsls
8.5
oracle
tape virtual storage manager gui
6.2
oracle
vm virtualbox
5.2.36 · ≤ 5.2.36 · 6.0.0 — 6.0.16 · 6.1.0 — 6.1.2
oracle
weblogic server
10.3.6.0.0, 12.1.3.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the Oracle July 2019 Critical Patch Update that eliminates the unauthenticated remote code execution flaw in WebLogic Web Services.

prevent

Enforces validation of HTTP input to Web Services, blocking the crafted requests that exploit CWE-74 injection to achieve server takeover.

prevent

Boundary-protection mechanisms (e.g., WAF rules or network ACLs) can restrict or inspect the unauthenticated HTTP traffic used to reach the vulnerable WebLogic endpoint.

References