CVE-2020-2883 Overview
CVE-2020-2883 is a critical deserialization vulnerability in Oracle WebLogic Server, a component of Oracle Fusion Middleware. The flaw exists in the Core component and is exploitable over the network through the Internet Inter-ORB Protocol (IIOP) and T3 protocols. An unauthenticated remote attacker can send a crafted serialized object to trigger arbitrary Java code execution. Successful exploitation results in complete takeover of the WebLogic Server. The vulnerability affects supported versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0. CISA has added this CVE to its Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation.
Critical Impact
Unauthenticated attackers can achieve remote code execution and full server compromise via T3 or IIOP, with public exploit code circulating since April 2020.
Affected Products
- Oracle WebLogic Server 10.3.6.0.0
- Oracle WebLogic Server 12.1.3.0.0
- Oracle WebLogic Server 12.2.1.3.0 and 12.2.1.4.0
Discovery Timeline
- 2020-04-15 - CVE-2020-2883 published to NVD
- 2020-04-15 - Oracle releases security patch in April 2020 Critical Patch Update
- 2025-10-27 - Last updated in NVD database
Technical Details for CVE-2020-2883
Vulnerability Analysis
The vulnerability is an insecure Java deserialization flaw in the WebLogic Server Core component. WebLogic exposes the T3 and IIOP remote protocols on its default listening port to support Remote Method Invocation (RMI) and inter-process communication. These protocols accept serialized Java objects from remote clients without sufficient validation of class types. An attacker submits a specially crafted object graph that, when deserialized by the server, triggers a chain of method calls (a gadget chain) leading to arbitrary command execution.
This class of issue continued a long line of WebLogic deserialization weaknesses, with the patch chain bypassing earlier mitigations against gadgets such as those from com.tangosol.internal.util.invoke. The Zero Day Initiative documented the underlying gadget in advisories ZDI-20-504 and ZDI-20-570.
Root Cause
The root cause is improper filtering of untrusted serialized data received over the T3 and IIOP protocols. WebLogic's deserialization blocklist failed to cover all exploitable gadget classes, allowing attackers to reach reflective method invocation paths during object reconstruction. CWE classification is marked as NVD-CWE-noinfo.
Attack Vector
An attacker establishes a TCP connection to the WebLogic listening port (commonly 7001) and negotiates a T3 or IIOP session. The attacker then sends a serialized payload containing the gadget chain. No credentials, user interaction, or prior access are required. Public proof-of-concept exploits have been published, including the WebLogic Server Deserialization Remote Code Execution writeup on Packet Storm.
No sanitized exploit code is reproduced here. Technical mechanics are available in the referenced ZDI advisories and the Packet Storm report.
Detection Methods for CVE-2020-2883
Indicators of Compromise
- Unexpected outbound network connections from the WebLogic JVM process (java.exe or java) to attacker-controlled infrastructure shortly after inbound T3/IIOP traffic.
- Spawning of shells (cmd.exe, powershell.exe, /bin/sh, /bin/bash) as child processes of the WebLogic server process.
- New files written to WebLogic deployment directories such as servers/AdminServer/tmp/ or servers/AdminServer/upload/, particularly .jsp or .war files.
- Inbound TCP traffic to port 7001 or other configured T3/IIOP ports from untrusted source addresses.
Detection Strategies
- Inspect WebLogic access and server logs for t3, t3s, iiop, or iiops protocol handshakes from external networks.
- Hunt for child processes of WebLogic Java workers that match command interpreters or living-off-the-land binaries.
- Apply network IDS signatures targeting T3 protocol magic bytes and known deserialization gadget class names traversing the wire.
Monitoring Recommendations
- Forward WebLogic AdminServer.log, access.log, and JVM stdout to a centralized logging platform for correlation.
- Alert on unauthenticated T3 or IIOP connections originating outside management subnets.
- Track process lineage from the WebLogic service account to surface post-exploitation activity such as credential dumping or persistence.
How to Mitigate CVE-2020-2883
Immediate Actions Required
- Apply the Oracle April 2020 Critical Patch Update to all affected WebLogic Server instances immediately, prioritizing internet-facing systems.
- Restrict T3 and IIOP protocol access to trusted management networks using a WebLogic connection filter or perimeter firewall rules.
- Review WebLogic hosts for signs of compromise before patching, as CISA confirms this CVE is actively exploited.
- Rotate credentials and secrets stored on or accessible from any WebLogic server that was internet-exposed prior to patching.
Patch Information
Oracle released fixes as part of the April 2020 Critical Patch Update. Refer to the Oracle Security Alert April 2020 advisory for the relevant patch IDs covering versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0. CISA tracks ongoing exploitation in the Known Exploited Vulnerabilities Catalog entry for CVE-2020-2883.
Workarounds
- Configure a WebLogic connection filter (weblogic.security.net.ConnectionFilterImpl) to deny T3 and IIOP traffic from untrusted CIDR ranges.
- Disable IIOP in the WebLogic Server console under Protocols > IIOP if the protocol is not required by deployed applications.
- Place WebLogic administration interfaces behind a VPN or jump host and block port 7001 at the network edge.
# Example WebLogic connection filter rules - place in CONFIG.xml or set via console
# Deny T3/T3S/IIOP/IIOPS from all hosts, then allow only management subnet
0.0.0.0/0 * * deny t3 t3s iiop iiops
10.10.0.0/24 * * allow t3 t3s iiop iiops
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
