What is Oracle WebLogic Server?
Oracle WebLogic Server is one of the most widely deployed enterprise Java EE application servers in the world, used by banks, governments, telecommunications companies, and large enterprises to run mission-critical business applications. As part of Oracle Fusion Middleware, WebLogic serves as the runtime for enterprise resource planning (ERP), banking systems, and custom Java applications at organizations that collectively process trillions of dollars in transactions. WebLogic's default inter-process communication ports (7001 for HTTP, 7002 for HTTPS) are often internet-accessible in cloud and hosted deployments, making unauthenticated RCE vulnerabilities in WebLogic among the highest-impact findings in enterprise security.
Overview
CVE-2020-2883 is an unauthenticated remote code execution vulnerability in Oracle WebLogic Server exploitable via the IIOP (Internet Inter-ORB Protocol) or T3 protocols — Oracle's proprietary Java object communication channels. The vulnerability enables a remote attacker with no credentials and no prior access to execute arbitrary code on the WebLogic server by sending a specially crafted serialized Java object. It was patched in Oracle's April 2020 Critical Patch Update (CPU) but added to CISA's KEV catalog in January 2025, reflecting sustained exploitation of unpatched WebLogic servers.
Affected Versions
| WebLogic Version | Vulnerable | Fixed (April 2020 CPU) |
|---|---|---|
| 10.3.6.0.0 | Yes | Patched |
| 12.1.3.0.0 | Yes | Patched |
| 12.2.1.3.0 | Yes | Patched |
| 12.2.1.4.0 | Yes | Patched |
| 14.1.1.0.0 | Yes | Patched |
Technical Details
Oracle WebLogic Server's IIOP and T3 protocols are used for Java RMI (Remote Method Invocation) and enterprise bean communication. Both protocols accept serialized Java objects from the network. When WebLogic deserializes these objects, it processes them through Java's native deserialization mechanism without sufficient validation.
CVE-2020-2883 exploits this by sending a crafted serialized Java object over IIOP (port 7001 by default) or T3 to trigger a gadget chain — a sequence of Java class instantiations and method calls that ultimately executes arbitrary OS commands. This is a variant of the classic Java deserialization RCE class; Oracle had previously patched related vulnerabilities (CVE-2020-2551, CVE-2019-2729) but this CVE represents a bypass of those earlier fixes.
No credentials are required. An attacker with TCP connectivity to port 7001 can achieve full server compromise.
Discovery
CVE-2020-2883 was discovered by security researchers and reported to Oracle as part of the April 2020 CPU cycle. Oracle does not publicly credit individual reporters for CPU findings. The vulnerability represents a new gadget chain for WebLogic deserialization that bypassed Oracle's previous IIOP/T3 mitigations.
Exploitation Context
Oracle WebLogic deserialization vulnerabilities have been among the most consistently exploited CVEs in enterprise environments since 2019. CVE-2020-2883 specifically has been exploited by:
- Cryptomining operators: XMRig and other miners deployed at scale by automated scanning tools targeting port 7001
- Ransomware groups: Initial access brokers sold WebLogic footholds for ransomware deployment
- Chinese APT actors: WebLogic RCE chains have been part of APT41 and related groups' initial access toolkit
CISA's late addition to KEV (January 2025 — nearly five years after the patch) indicates that unpatched WebLogic servers remained in production at scale and were actively targeted through the mid-2020s.
Remediation
- Apply the April 2020 CPU patch: Apply Oracle's April 2020 Critical Patch Update for the specific WebLogic version in use.
- Disable IIOP and T3 if not required: In the WebLogic admin console, disable the IIOP protocol and restrict T3 access to known application servers only. Most modern WebLogic deployments using HTTP/HTTPS do not require IIOP.
- Firewall port 7001: Restrict port 7001 (and 7002) to known application clients — block inbound access from the internet.
- Apply all subsequent CPUs: Oracle releases quarterly CPUs; apply each one promptly — WebLogic deserialization vulnerabilities appear regularly.
- WebLogic firewall rules: Configure WebLogic's connection filter (
weblogic.security.net.ConnectionFilter) to whitelist allowed source IPs for T3/IIOP connections.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2020-2883 |
| Vendor / Product | Oracle — WebLogic Server |
| NVD Published | 2020-04-15 |
| NVD Last Modified | 2025-10-27 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CISA KEV Added | 2025-01-07 |
| CISA KEV Deadline | 2025-01-28 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2020-04-15 | Oracle patches CVE-2020-2883 in April 2020 Critical Patch Update |
| 2025-01-07 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2025-01-28 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Oracle Critical Patch Update — April 2020 | Vendor Advisory |
| NVD — CVE-2020-2883 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |