Cyber Resilience

CVE-2020-2555

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 15 January 2020

Published
15 January 2020
Modified
27 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9314 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-2555 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Oracle Utilities Framework. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2020-2555 is a deserialization vulnerability (CWE-502) in the Caching, CacheStore, and Invocation components of Oracle Coherence within Oracle Fusion Middleware. It affects supported versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0. The flaw is remotely exploitable without authentication and carries a CVSS 3.1 base score of 9.8, reflecting full impacts to confidentiality, integrity, and availability.

An unauthenticated attacker with network access via the T3 protocol can exploit the issue to compromise and fully take over an Oracle Coherence instance. Public exploit code demonstrating remote code execution against the affected product has been published on PacketStorm.

Oracle addressed the vulnerability in its January 2020 Critical Patch Update, with additional details referenced in the January 2021 advisory.

EU & UK References

Vulnerability details

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks…

more

of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
access manager
11.1.2.3.0
oracle
coherence
12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 3.7.1.0
oracle
commerce platform
11.0.0, 11.1.0, 11.2.0 · 11.3.0 — 11.3.2
oracle
communications diameter signaling router
8.0.0 — 8.2.2
oracle
healthcare data repository
7.0.1
oracle
rapid planning
12.1, 12.2
oracle
retail assortment planning
15.0, 16.0
oracle
utilities framework
4.2.0.2.0, 4.2.0.3.0, 4.4.0.0.0, 4.4.0.2.0 · 4.3.0.1.0 — 4.3.0.6.0
oracle
webcenter portal
12.2.1.3.0, 12.2.1.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input (including serialized objects received over T3) to block malicious deserialization payloads before they are processed.

prevent

Enforces approved authorizations for access to Oracle Coherence, eliminating the unauthenticated network path that the CVE exploits.

prevent

Requires timely application of vendor patches that remediate the specific deserialization flaw in the Caching/Invocation components.

References