Date of Disclosure (source): April 14, 2020 (Oracle Critical Patch Update)
Date Reported as Actively Exploited (source): January 7, 2025
CVE-2020-2883 is a critical vulnerability affecting Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0, with a CVSS score of 9.8.
This vulnerability allows an unauthenticated attacker with network access via IIOP (Internet Inter-ORB Protocol) or T3 (WebLogic’s proprietary protocol) to execute arbitrary code on affected Oracle WebLogic Servers. Successful exploitation of this vulnerability can result in takeover of vulnerable server instances.
Oracle patched this vulnerability over 4 years ago in April 2020, and shortly after warned customers of active exploitation, urging them to patch immediately. Despite this, the vulnerability was only recently added to CISA’s list of Known Exploited Vulnerabilities (KEV) on January 7, 2025. With no recent reports suggesting a potential renewed surge of exploitation, this seems like it was added as a precautionary measure. Regardless, if this vulnerability remains unaddressed in your network, it should be remediated ASAP.
| Field |
Details |
| CVE-ID |
CVE-2020-2883 – CVSS 9.8 (Critical) – assigned by NVD |
| Vulnerability Description |
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. |
| Date of Disclosure |
April 14, 2020 (Oracle Critical Patch Update) |
| Affected Assets |
Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) |
| Vulnerable Software Versions |
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 |
| PoC Available? |
Multiple PoC exploits are available on GitHub. |
| Exploitation Status |
This vulnerability is being actively exploited and was added to CISA KEV on January 7, 2025. |
| Patch Status |
Patches are available as part of Oracle’s April 2020 Critical Patch Update. Organizations are strongly advised to apply them immediately. |
Censys Perspective
At the time of writing, Censys observed 236 exposed Oracle WebLogic servers. A large proportion of these (67%) are geolocated in China. Note that not all instances observed are necessarily vulnerable as we do not always have specific versions available.
We observed 139 hosts with exposed version 10.3.6.0. While 10.3.6.0.0 is explicitly listed in the NVD as a vulnerable version, 10.3.6.0 is not. However, due to variations in semantic versioning practices, it is unclear if 10.3.6.0 should also be considered vulnerable. In the absence of definitive information, we are forced to assume that 10.3.6.0 is not vulnerable.
Map of Exposed Oracle WebLogic Server Instances
Censys Search Query:
services.software: (vendor="Oracle" and product="WebLogic Server")
Note that this fingerprint was recently deployed and results may take 24 hours to fully propagate.
Censys ASM Query:
host.services.software: (vendor="Oracle" and product="WebLogic Server")
Risk:
risks.name: "Vulnerable Oracle WebLogic Server [CVE-2020-2883]"
Note that this risk was recently deployed and results may take 24 hours to fully propagate.
References
