CVE-2020-2555

CRITICAL KEV

Oracle Coherence 3.7.1.0/12.1.3.0.0/12.2.1.3-4 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-2555 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 10 public exploits from researchers including Metasploit, nu11secur1ty, Y4er, including a Metasploit module exploits/multi/misc/weblogic_deserialize_badattrval.

AI-analyzed exploit summary This Metasploit module exploits a Java deserialization vulnerability in Oracle WebLogic Server (CVE-2020-2555) by sending a crafted BadAttributeValueExpException object over the T3 protocol, leading to unauthenticated remote code execution.

Description

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (10)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/48508

This Metasploit module exploits a Java deserialization vulnerability in Oracle WebLogic Server (CVE-2020-2555) by sending a crafted BadAttributeValueExpException object over the T3 protocol, leading to unauthenticated remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
No auth needed
Prerequisites: Network access to WebLogic T3 port (default 7001) · Vulnerable WebLogic version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by nu11secur1ty · pythonwebappsjava
https://www.exploit-db.com/exploits/48320

This exploit leverages CVE-2020-2555 to achieve remote code execution on Oracle WebLogic Server by sending a crafted T3 protocol payload. It reads an external payload file and embeds it into the exploit traffic.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server 12.2.1.4.0
No auth needed
Prerequisites: Network access to the target server · T3 protocol enabled on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 176 stars
by Y4er · remote
https://github.com/Y4er/CVE-2020-2555

This repository contains a functional exploit for CVE-2020-2555, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages the ReflectionExtractor gadget chain to achieve remote code execution (RCE) via the T3 protocol.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server 12.2.1.4 (JDK 8u76 without security manager)
No auth needed
Prerequisites: Access to WebLogic T3 port (default 7001) · Target running JDK 8u76 without a security manager · Coherence.jar matching the target WebLogic version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 47 stars
by wsfengfan · remote
https://github.com/wsfengfan/CVE-2020-2555

This repository contains a working exploit for CVE-2020-2555, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages a crafted payload to achieve remote code execution (RCE) via the T3 protocol.

Classification
Working Poc 95%
Attack Type
Rce, Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
No auth needed
Prerequisites: Network access to the target WebLogic Server · T3 protocol enabled on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 14 stars
by Maskhe · poc
https://github.com/Maskhe/cve-2020-2555

This PoC generates a serialized payload exploiting CVE-2020-2555, a deserialization vulnerability in Oracle Coherence. It chains extractors to execute arbitrary commands (e.g., 'calc.exe') via reflection during deserialization.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle Coherence (versions affected by CVE-2020-2555)
No auth needed
Prerequisites: Network access to target with T3 protocol enabled · Vulnerable Oracle Coherence version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB 3 stars
by Hu3sky · poc
https://github.com/Hu3sky/CVE-2020-2555

The repository contains only a README.md with placeholder text and no functional exploit code or technical details. It appears to be an incomplete or abandoned proof-of-concept for CVE-2020-2555.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Oracle Coherence (version not specified)
No auth needed
Prerequisites: none identifiable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Qynklee · remote
https://github.com/Qynklee/POC_CVE-2020-2555

This repository contains a Python-based exploit for CVE-2020-2555, a deserialization vulnerability in Oracle WebLogic Server. The exploit sends a crafted T3 protocol payload to achieve remote code execution (RCE) by leveraging insecure deserialization.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0)
No auth needed
Prerequisites: Network access to the target WebLogic Server · T3 protocol enabled on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/Y4er/WebLogic-Shiro-shell

This repository contains functional exploit code for CVE-2020-2555, demonstrating Java deserialization vulnerabilities in WebLogic. It includes detailed examples of serialization/deserialization, reflection, and gadget chains (e.g., CommonsCollections2/5) to achieve RCE.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Java environment · vulnerable WebLogic instance
devstral-2 · analyzed Feb 25, 2026 Full analysis →
vulncheck_xdb SCANNER
remote
https://github.com/0xn0ne/weblogicScanner

This repository contains a Python-based scanner for detecting multiple WebLogic vulnerabilities, including CVE-2020-2555. It checks for the presence of vulnerabilities but does not exploit them.

Classification
Scanner 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: network access to target WebLogic server
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Jang, Y4er, Shelby Pace, Steve Embling · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/weblogic_deserialize_badattrval.rb

This Metasploit module exploits CVE-2020-2555, a Java deserialization vulnerability in Oracle WebLogic Server. It sends a serialized BadAttributeValueExpException object over the T3 protocol to achieve unauthenticated remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
No auth needed
Prerequisites: Network access to the WebLogic server on port 7001 (or other T3 port) · Vulnerable WebLogic version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Patch, Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Patch, Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2021.html

Scores

CVSS v3 9.8
EPSS 0.9712
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2020-10-20
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2020-22348
CWE
CWE-502
Status published
Products (22)
oracle/access_manager 11.1.2.3.0
oracle/coherence 3.7.1.0
oracle/coherence 12.1.3.0.0
oracle/coherence 12.2.1.3.0
oracle/coherence 12.2.1.4.0
oracle/commerce_platform 11.0.0
oracle/commerce_platform 11.1.0
oracle/commerce_platform 11.2.0
oracle/commerce_platform 11.3.0 - 11.3.2
oracle/communications_diameter_signaling_router 8.0.0 - 8.2.2
... and 12 more
Published Jan 15, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026