Cyber Resilience

CVE-2020-2551

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 15 January 2020

Published
15 January 2020
Modified
27 October 2025
KEV Added
16 November 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9441 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-2551 is a critical-severity an unspecified weakness vulnerability in Oracle Weblogic Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-2551 is a vulnerability in the WLS Core Components of Oracle WebLogic Server within Oracle Fusion Middleware. It affects supported versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0. The flaw is rated with a CVSS 3.0 base score of 9.8 and carries impacts to confidentiality, integrity, and availability.

An unauthenticated attacker with network access via IIOP can easily exploit the issue to compromise the server, resulting in full takeover of the Oracle WebLogic Server instance. No user interaction or authentication is required for successful exploitation.

The vulnerability is addressed in the Oracle Critical Patch Update for January 2020, available at the referenced Oracle security advisory. It is also listed in the CISA Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation activity.

EU & UK References

Vulnerability details

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle…

more

WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE(s)
KEV Date Added
16 November 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
weblogic server
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the January 2020 Critical Patch Update that remediates the unauthenticated IIOP deserialization flaw in WLS Core.

prevent

Enforces boundary protection that can deny or restrict unauthenticated IIOP traffic from reaching WebLogic before the vulnerability can be exploited.

prevent

Requires the system to enforce authentication and authorization decisions on all inbound IIOP requests, blocking the unauthenticated attacker path described in the CVE.

References