The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2020-2555

CVE-2020-2555: Oracle Access Manager Auth Bypass Flaw

CVE-2020-2555 is an authentication bypass vulnerability in Oracle Access Manager affecting Oracle Coherence. Attackers can exploit this critical flaw to take over systems. This article covers technical details, impact, and fixes.

Published: March 11, 2026

CVE-2020-2555 Overview

CVE-2020-2555 is a critical insecure deserialization vulnerability in the Oracle Coherence product of Oracle Fusion Middleware, specifically affecting the Caching, CacheStore, and Invocation components. This vulnerability allows an unauthenticated attacker with network access via the T3 protocol to achieve complete system compromise, including full takeover of affected Oracle Coherence instances. The vulnerability is easily exploitable and requires no user interaction, making it particularly dangerous for exposed enterprise environments.

Critical Impact

This vulnerability enables unauthenticated remote code execution leading to complete system takeover. It has been added to CISA's Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild.

Affected Products

  • Oracle Coherence versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0
  • Oracle Access Manager 11.1.2.3.0
  • Oracle Commerce Platform versions 11.0.0, 11.1.0, and 11.2.0
  • Oracle Communications Diameter Signaling Router
  • Oracle Healthcare Data Repository 7.0.1
  • Oracle Rapid Planning 12.1 and 12.2
  • Oracle Retail Assortment Planning 15.0 and 16.0
  • Oracle Utilities Framework versions 4.2.0.2.0, 4.2.0.3.0, 4.4.0.0.0, and 4.4.0.2.0
  • Oracle WebCenter Portal 12.2.1.3.0 and 12.2.1.4.0

Discovery Timeline

  • January 15, 2020 - CVE-2020-2555 published to NVD
  • October 27, 2025 - Last updated in NVD database

Technical Details for CVE-2020-2555

Vulnerability Analysis

CVE-2020-2555 is classified as CWE-502 (Deserialization of Untrusted Data). The vulnerability exists within Oracle Coherence's handling of serialized Java objects received over the T3 protocol. Oracle Coherence is a distributed caching solution commonly deployed in enterprise environments to provide high availability and scalability for applications. The T3 protocol is Oracle's proprietary protocol used for communication between WebLogic Server components and clients.

The flaw allows attackers to craft malicious serialized objects that, when deserialized by the vulnerable Coherence component, execute arbitrary code on the target system. This type of deserialization attack leverages "gadget chains" - sequences of existing Java classes that can be chained together to achieve code execution during the deserialization process.

Root Cause

The root cause of CVE-2020-2555 lies in insufficient validation of serialized data within the Oracle Coherence caching framework. The affected components (Caching, CacheStore, Invocation) accept serialized Java objects over the network without adequately verifying the integrity or safety of the incoming data. Specifically, the vulnerability involves the com.tangosol.util.filter.LimitFilter and related classes that can be abused to construct exploitation chains leading to arbitrary method invocation.

Attack Vector

The attack is conducted over the network using the T3 protocol, which typically operates on port 7001 (the default WebLogic Server port). An attacker can exploit this vulnerability without any authentication credentials, making it accessible to any attacker who can reach the vulnerable service.

The exploitation flow involves:

  1. The attacker establishes a T3 connection to the vulnerable Oracle Coherence instance
  2. A specially crafted serialized Java object containing a malicious gadget chain is transmitted
  3. The Coherence server deserializes the object, triggering the gadget chain execution
  4. Arbitrary code executes with the privileges of the Oracle Coherence process

This vulnerability has been actively exploited in the wild and is tracked in CISA's Known Exploited Vulnerabilities Catalog. Multiple proof-of-concept exploits are publicly available, as documented in Packet Storm Oracle Coherence RCE, Packet Storm WebLogic Server RCE, and Packet Storm WebLogic Deserialization RCE.

Detection Methods for CVE-2020-2555

Indicators of Compromise

  • Unusual outbound connections from Oracle WebLogic or Coherence server processes
  • Unexpected child processes spawned by the WebLogic Server JVM (e.g., shells, scripting interpreters)
  • Suspicious T3 protocol traffic containing serialized Java objects with known malicious class references such as com.tangosol.util.filter.LimitFilter
  • Web shell files or unauthorized modifications to WebLogic deployment directories
  • Evidence of post-exploitation activities such as credential harvesting or lateral movement originating from the application server

Detection Strategies

  • Deploy network intrusion detection systems (NIDS) with signatures for malicious T3 protocol payloads and known CVE-2020-2555 exploit patterns
  • Monitor Java deserialization activity using endpoint detection and response (EDR) solutions capable of tracking JVM behavior
  • Implement application-layer firewalls to inspect and filter T3 protocol traffic for suspicious serialized object patterns
  • Configure logging for Oracle Coherence and WebLogic Server to capture detailed information about incoming connections and deserialization events

Monitoring Recommendations

  • Enable comprehensive audit logging on Oracle WebLogic Server and Coherence instances
  • Monitor network traffic on T3 protocol ports (default 7001) for anomalous patterns or connections from unexpected sources
  • Establish baseline behavior for Oracle middleware processes and alert on deviations indicating potential compromise
  • Correlate security events across multiple data sources including network flows, endpoint telemetry, and application logs

How to Mitigate CVE-2020-2555

Immediate Actions Required

  • Apply the Oracle Critical Patch Update (CPU) that addresses CVE-2020-2555 immediately
  • Restrict network access to T3 protocol ports (7001) using firewall rules to limit exposure to trusted networks only
  • If patching is not immediately possible, consider taking vulnerable Coherence instances offline or isolating them from untrusted networks
  • Conduct a security review to identify any systems that may have already been compromised
  • Review CISA's Known Exploited Vulnerabilities Catalog entry for CVE-2020-2555 for additional guidance

Patch Information

Oracle has released patches addressing CVE-2020-2555 in multiple Critical Patch Updates. Organizations should apply the latest available patch from Oracle's security advisories:

  • Oracle January 2020 CPU Advisory - Initial patch release
  • Oracle July 2020 CPU Advisory - Additional fixes
  • Oracle October 2020 CPU Advisory - Continued remediation
  • Oracle January 2021 CPU Advisory - Further updates
  • Oracle July 2021 CPU Advisory - Latest patches

Given the critical nature of this vulnerability and its active exploitation status, patching should be prioritized immediately.

Workarounds

  • Implement network segmentation to isolate Oracle Coherence and WebLogic Server instances from untrusted networks
  • Configure firewall rules to block T3 protocol access from external or untrusted sources; only allow connections from authorized application servers
  • Disable the T3 protocol if not required for business operations, or enable T3 protocol filtering using WebLogic Server's connection filter mechanisms
  • Consider using Oracle's Java serialization filters to block known dangerous classes used in exploitation gadget chains
bash
# Example: Restrict T3 protocol access using WebLogic connection filter
# Add to weblogic.security.net.ConnectionFilterImpl configuration
# Deny T3 connections from all except trusted internal networks
weblogic.security.net.ConnectionFilter=weblogic.security.net.ConnectionFilterImpl
weblogic.security.net.ConnectionFilterRules=192.168.1.0/24 * * allow t3 t3s,* * * deny t3 t3s

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechOracle Coherence
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability93.14%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CISA KEV Information
  • In CISA KEVYes
  • CWE References
  • CWE-502
  • Technical References
  • Packet Storm Oracle Coherence RCE
  • Packet Storm WebLogic Server RCE
  • Packet Storm WebLogic Deserialization RCE
  • CISA Known Exploited CVE-2020-2555
  • Vendor Resources
  • Oracle January 2020 CPU Advisory
  • Oracle January 2021 CPU Advisory
  • Oracle July 2020 CPU Advisory
  • Oracle July 2021 CPU Advisory
  • Oracle October 2020 CPU Advisory
  • Related CVEs
  • CVE-2020-14756: Oracle Coherence RCE Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English