CVE-2019-2890

HIGH

Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 - Authenticated Remote Code Execution via T3

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 7 public exploits for CVE-2019-2890. PoCs published by l1nk3rlin, jas502n, zhzhdoai.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2019-2890, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages JRMP to achieve remote code execution by generating a malicious serialized file and sending it to the target server.

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Exploits (7)

nomisec WORKING POC 85 stars
by l1nk3rlin · poc
https://github.com/l1nk3rlin/CVE-2019-2890

This repository contains a proof-of-concept exploit for CVE-2019-2890, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages JRMP to achieve remote code execution by generating a malicious serialized file and sending it to the target server.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Access to the target WebLogic server · JRMP listener set up on attacker's machine · ysoserial.jar for payload generation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 44 stars
by jas502n · poc
https://github.com/jas502n/CVE-2019-2890

This repository contains a functional proof-of-concept exploit for CVE-2019-2890, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages JRMP to achieve remote code execution by crafting a malicious serialized object and sending it to the target server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Access to the target WebLogic Server's T3 protocol port (typically 7001) · ysoserial tool for generating payloads
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 17 stars
by zhzhdoai · poc
https://github.com/zhzhdoai/Weblogic_Vuln

This repository contains proof-of-concept exploits for multiple WebLogic vulnerabilities, including CVE-2015-4852, which leverages Java deserialization via Apache Commons Collections to achieve remote code execution. The PoC generates a serialized payload that, when deserialized, executes arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (versions affected by CVE-2015-4852, CVE-2016-0638, CVE-2016-3510, CVE-2019-2890)
No auth needed
Prerequisites: Network access to vulnerable WebLogic T3 interface · Apache Commons Collections library for payload generation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 11 stars
by ZO1RO · poc
https://github.com/ZO1RO/CVE-2019-2890

This is a Python-based exploit for CVE-2019-2890, targeting a deserialization vulnerability in Oracle WebLogic Server. It sends a crafted T3 protocol request with a malicious payload to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Network access to the target WebLogic Server · T3 protocol enabled on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by ianxtianxt · poc
https://github.com/ianxtianxt/CVE-2019-2890

This repository contains a proof-of-concept exploit for CVE-2019-2890, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages JRMP to achieve remote code execution by generating a malicious serialized file and sending it to the target server.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Access to the target WebLogic server · JRMP listener set up on attacker's machine
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Ky0-HVA · poc
https://github.com/Ky0-HVA/CVE-2019-2890

This is a Python-based exploit for CVE-2019-2890, targeting a deserialization vulnerability in Oracle WebLogic Server. It sends a crafted T3 protocol request with a malicious payload to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Network access to the target WebLogic Server · T3 protocol enabled on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by freeide · poc
https://github.com/freeide/weblogic_cve-2019-2890

This PoC exploits CVE-2019-2890, a Java deserialization vulnerability in Oracle WebLogic Server, by sending a malicious payload via T3 protocol to achieve remote code execution. It uses ysoserial to generate the payload and requires a target IP and command to execute.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Target IP and port · ysoserial.jar · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.2
EPSS 0.3760
EPSS Percentile 98.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

Status published
Products (3)
oracle/weblogic_server 10.3.6.0.0
oracle/weblogic_server 12.1.3.0.0
oracle/weblogic_server 12.2.1.3.0
Published Oct 16, 2019
Tracked Since Feb 18, 2026