CVE-2020-2883 — Oracle WebLogic Server Unspecified Vulnerability

CVE-2020-2883

Oracle WebLogic Server — Unauthenticated RCE via IIOP/T3 Java Deserialization

What is Oracle WebLogic Server?

Oracle WebLogic Server is one of the most widely deployed enterprise Java EE application servers in the world, used by banks, governments, telecommunications companies, and large enterprises to run mission-critical business applications. As part of Oracle Fusion Middleware, WebLogic serves as the runtime for enterprise resource planning (ERP), banking systems, and custom Java applications at organizations that collectively process trillions of dollars in transactions. WebLogic's default inter-process communication ports (7001 for HTTP, 7002 for HTTPS) are often internet-accessible in cloud and hosted deployments, making unauthenticated RCE vulnerabilities in WebLogic among the highest-impact findings in enterprise security.

Overview

CVE-2020-2883 is an unauthenticated remote code execution vulnerability in Oracle WebLogic Server exploitable via the IIOP (Internet Inter-ORB Protocol) or T3 protocols — Oracle's proprietary Java object communication channels. The vulnerability enables a remote attacker with no credentials and no prior access to execute arbitrary code on the WebLogic server by sending a specially crafted serialized Java object. It was patched in Oracle's April 2020 Critical Patch Update (CPU) but added to CISA's KEV catalog in January 2025, reflecting sustained exploitation of unpatched WebLogic servers.

Affected Versions

WebLogic Version Vulnerable Fixed (April 2020 CPU)
10.3.6.0.0 Yes Patched
12.1.3.0.0 Yes Patched
12.2.1.3.0 Yes Patched
12.2.1.4.0 Yes Patched
14.1.1.0.0 Yes Patched

Technical Details

Oracle WebLogic Server's IIOP and T3 protocols are used for Java RMI (Remote Method Invocation) and enterprise bean communication. Both protocols accept serialized Java objects from the network. When WebLogic deserializes these objects, it processes them through Java's native deserialization mechanism without sufficient validation.

CVE-2020-2883 exploits this by sending a crafted serialized Java object over IIOP (port 7001 by default) or T3 to trigger a gadget chain — a sequence of Java class instantiations and method calls that ultimately executes arbitrary OS commands. This is a variant of the classic Java deserialization RCE class; Oracle had previously patched related vulnerabilities (CVE-2020-2551, CVE-2019-2729) but this CVE represents a bypass of those earlier fixes.

No credentials are required. An attacker with TCP connectivity to port 7001 can achieve full server compromise.

Discovery

CVE-2020-2883 was discovered by security researchers and reported to Oracle as part of the April 2020 CPU cycle. Oracle does not publicly credit individual reporters for CPU findings. The vulnerability represents a new gadget chain for WebLogic deserialization that bypassed Oracle's previous IIOP/T3 mitigations.

Exploitation Context

Oracle WebLogic deserialization vulnerabilities have been among the most consistently exploited CVEs in enterprise environments since 2019. CVE-2020-2883 specifically has been exploited by:

  • Cryptomining operators: XMRig and other miners deployed at scale by automated scanning tools targeting port 7001
  • Ransomware groups: Initial access brokers sold WebLogic footholds for ransomware deployment
  • Chinese APT actors: WebLogic RCE chains have been part of APT41 and related groups' initial access toolkit

CISA's late addition to KEV (January 2025 — nearly five years after the patch) indicates that unpatched WebLogic servers remained in production at scale and were actively targeted through the mid-2020s.

Remediation

  1. Apply the April 2020 CPU patch: Apply Oracle's April 2020 Critical Patch Update for the specific WebLogic version in use.
  2. Disable IIOP and T3 if not required: In the WebLogic admin console, disable the IIOP protocol and restrict T3 access to known application servers only. Most modern WebLogic deployments using HTTP/HTTPS do not require IIOP.
  3. Firewall port 7001: Restrict port 7001 (and 7002) to known application clients — block inbound access from the internet.
  4. Apply all subsequent CPUs: Oracle releases quarterly CPUs; apply each one promptly — WebLogic deserialization vulnerabilities appear regularly.
  5. WebLogic firewall rules: Configure WebLogic's connection filter (weblogic.security.net.ConnectionFilter) to whitelist allowed source IPs for T3/IIOP connections.

Key Details

PropertyValue
CVE ID CVE-2020-2883
Vendor / Product Oracle — WebLogic Server
NVD Published2020-04-15
NVD Last Modified2025-10-27
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CISA KEV Added2025-01-07
CISA KEV Deadline2025-01-28
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2025-01-28. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2020-04-15Oracle patches CVE-2020-2883 in April 2020 Critical Patch Update
2025-01-07Added to CISA Known Exploited Vulnerabilities catalog
2025-01-28CISA BOD 22-01 remediation deadline

References

ResourceType
Oracle Critical Patch Update — April 2020 Vendor Advisory
NVD — CVE-2020-2883 Vulnerability Database
CISA KEV Catalog Entry US Government