CVE-2020-2883
Published: 15 April 2020
Summary
CVE-2020-2883 is a critical-severity an unspecified weakness vulnerability in Oracle Weblogic Server. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-2883 is a vulnerability in the Core component of Oracle WebLogic Server within Oracle Fusion Middleware. It affects supported versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0. The flaw is reachable over the network through IIOP or T3 protocols and carries a CVSS 3.1 base score of 9.8 with full impacts to confidentiality, integrity, and availability.
An unauthenticated attacker with network access can exploit the issue to achieve remote takeover of the WebLogic Server instance. No user interaction or credentials are required, making the attack surface broad for any exposed server.
Oracle's April 2020 Critical Patch Update addresses the vulnerability, and separate Zero Day Initiative advisories (ZDI-20-504 and ZDI-20-570) provide additional technical detail on the flaw. Public exploit artifacts referencing deserialization remote code execution have also been posted to Packet Storm.
The combination of an unauthenticated network vector, critical severity, and readily available proof-of-concept material indicates the issue is of immediate concern for organizations running the listed WebLogic versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-22676
Vulnerability details
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic…
more
Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- CWE(s)
- KEV Date Added
- 07 January 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of patches to remediate known flaws such as the April 2020 CPU that fixes CVE-2020-2883 deserialization RCE.
Enforces boundary protection and network filtering to block unauthenticated IIOP/T3 traffic from reaching exposed WebLogic instances.
Limits enabled protocols and services so that unnecessary T3/IIOP listeners can be disabled, shrinking the attack surface for this unauthenticated RCE.