Cyber Resilience

CVE-2020-14644

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 15 July 2020

Published
15 July 2020
Modified
27 October 2025
KEV Added
18 September 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9364 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-14644 is a critical-severity an unspecified weakness vulnerability in Oracle Weblogic Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-14644 is a vulnerability in the Core component of Oracle WebLogic Server within Oracle Fusion Middleware. It affects supported versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. The flaw is remotely exploitable over the network and carries a CVSS 3.1 base score of 9.8 with full impacts to confidentiality, integrity, and availability.

An unauthenticated attacker with network access via the IIOP or T3 protocols can exploit the issue to achieve complete takeover of the Oracle WebLogic Server instance. No user interaction or credentials are required, and the attack complexity is rated low.

The Oracle July 2020 Critical Patch Update addresses the vulnerability, and the issue appears in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild exploitation.

EU & UK References

Vulnerability details

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server.…

more

Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE(s)
KEV Date Added
18 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
weblogic server
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the July 2020 Critical Patch Update that Oracle issued to eliminate the unauthenticated IIOP/T3 deserialization flaw.

prevent

Enforces boundary protection that can deny or restrict inbound IIOP and T3 traffic from untrusted networks, blocking the remote unauthenticated attack vector before exploitation.

prevent

Requires the system to enforce access-control decisions on all subjects, preventing the unauthenticated attacker from reaching the Core component that allows full server takeover.

References