Cyber Resilience

CVE-2023-21839

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 18 January 2023

Published
18 January 2023
Modified
27 October 2025
KEV Added
01 May 2023
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9417 99.9th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-21839 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Oracle Weblogic Server. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2023-21839 is a vulnerability in the Core component of Oracle WebLogic Server within Oracle Fusion Middleware. It affects supported versions 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. The flaw is associated with CWE-502 and CWE-306 and carries a CVSS 3.1 base score of 7.5, reflecting an easily exploitable network vector that impacts confidentiality.

An unauthenticated attacker with network access via the T3 or IIOP protocols can exploit the issue to obtain unauthorized access to critical data or complete access to all Oracle WebLogic Server-accessible data. No authentication or user interaction is required, enabling remote compromise of the confidentiality of server data.

Oracle's January 2023 Critical Patch Update addresses the vulnerability, and the flaw appears in CISA's Known Exploited Vulnerabilities catalog. Public exploit code demonstrating pre-authentication remote command execution has also been published.

The associated EPSS score remains consistently high, with a current value of 0.9417 and a recorded peak of 0.9621.

EU & UK References

Vulnerability details

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server.…

more

Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CWE(s)
KEV Date Added
01 May 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
weblogic server
12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations to block unauthenticated T3/IIOP access that leads to data disclosure.

prevent

Requires identification and authentication of users before granting access to WebLogic Server resources over the network.

prevent

Mandates timely application of the vendor patch that eliminates the deserialization/authentication flaw.

References