🔴 CVE-2020-2883

Critical unauthenticated deserialization vulnerability in Oracle WebLogic Server allowing complete server takeover via network protocols IIOP and T3. This vulnerability is actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog.

← Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2020-04-15

Added to CISA KEV: 2025-01-07 1728 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2020-2883 is a critical deserialization vulnerability in Oracle WebLogic Server that has been subject to active exploitation since shortly after its disclosure in April 2020 [1] [7]. It is officially recognized as a Known Exploited Vulnerability (KEV) by CISA [1].

Exploitation and Attack Method
  • Method: The vulnerability is a deserialization flaw residing in the `com.tangosol.coherence.mvel2.sh.ShellSession` class [4]. It allows an attacker to bypass previous security patches (specifically for CVE-2020-2555) by improperly handling deserialized user input [3].
  • Requirements: Exploitation is considered "easily exploitable" and does not require authentication [2]. It requires network access to the target server via the IIOP (Internet Inter-ORB Protocol) or T3 (WebLogic’s proprietary protocol) [2] [8]. No user interaction is required [2].
  • Availability: Public exploit code has been available for this vulnerability since shortly after its disclosure in 2020 [6].
Impact and Usage
  • Impact: Successful exploitation results in full Remote Code Execution (RCE), allowing an attacker to take complete control of the affected Oracle WebLogic Server [2] [4]. It carries a CVSS v3.0 base score of 9.8 (Critical) [2].
  • Threat Actor Usage: While specific named threat actor campaigns are often documented in broader threat intelligence reports, the vulnerability's inclusion in the CISA KEV catalog and reports of active remote exploitation confirm its use in malicious campaigns, including those aimed at compromising servers for further lateral movement or payload delivery [1] [6].
Affected Versions and Mitigation
  • Affected Versions: The vulnerability affects the following Oracle WebLogic Server versions:
* 10.3.6.0.0 * 12.1.3.0.0 * 12.2.1.3.0 * 12.2.1.4.0
  • Status: Oracle released a patch for this vulnerability as part of the April 2020 Critical Patch Update (CPU) [5] [7]. Organizations are strongly urged to ensure they have applied the relevant security updates to mitigate this risk [1].

Sources

  1. January 10 Advisory: Oracle WebLogic Vulnerability Added to CISA KEV ...

    Oracle patched this vulnerability over 4 years ago in April 2020, and shortly after warned customers of active exploitation, urging them to patch immediately. Despite this, the vulnerability was only recently added to CISA’s list of Known Exploited Vulnerabilities (KEV) on January 7, 2025. ... CVE-2…

  2. CVE-2020-2883 Detail - NVD

    Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. ... CVE-2020-2883 Detail. Description.Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogi…

  3. Customer Alert - 5/12/2020 | Waratek

    Security researchers have published additional details about CVE-2020-2883 that patches a WebLogic deserialization flaw that allows attackers to by-pass a previous vendor patch of CVE-2020-2555. ... Background CVE-2020-2883 is a deserialization patch in Oracle’s April 2020 Critical Patch Update that…

  4. A Critical Deserialization Vulnerability in Oracle WebLogic... | Armis

    CVE-2020-2883 is a critical deserialization vulnerability affecting Oracle WebLogic Server, a widely used Java EE application server. The flaw resides within the com.tangosol.coherence.mvel2.sh.ShellSession class, which improperly handles deserialized user input, leading to arbitrary remote code exe…

  5. CVE-2020-2883 : Vulnerability in the Oracle WebLogic Server product of ...

    Exploit prediction scoring system (EPSS) score for CVE-2020-2883 EPSS FAQ 94.36% Probability of exploitation activity in the next 30 days EPSS Score History ... Vulnerability Details : CVE-2020-2883. Public exploit exists! Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middlewa…

  6. Oracle Critical Patch Update Advisory - April 2020

    A CVE# shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE# is listed. ... Oracle Critical Patch Update Advisory - April 2020 Description A Critical Patch Update is a collection of patches for multiple security v…

  7. Customer Alert - 5/5/2020 | Waratek

    Oracle Weblogic CVE-2020-2883 RCE vulnerability is being remotely exploited: Other risks exist that require urgent action. Waratek customers are protected by default rule. On April 14, 2020, Oracle released the quarterly Critical Patch Update (CPU) that includes 397 patches across Oracle’s product s…

  8. CVE-2020-2883 | Armis Vulnerability Intelligence Database

    CVE-2020-2883: CVE-2020-2883 is a critical vulnerability in Oracle WebLogic Server that allows unauthenticated remote attackers to execute arbitrary code v...This vulnerability affects Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0. The issue exists in the Core co…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed