CVE-2020-2883

CRITICAL KEV NUCLEI

Oracle Access Manager unauthenticated Remote Code Execution

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2020-2883 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 7, 2025. EIP tracks 11 public exploits from researchers including Y4er, MagicZer0, Al1ex, including a Metasploit module exploits/multi/http/oracle_access_manager_rce_cve_2021_35587. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2020-2883, a deserialization vulnerability in WebLogic. It includes detailed technical analysis, proof-of-concept code for Java deserialization attacks, and memory shell injection techniques.

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (11)

nomisec WORKING POC 535 stars
by Y4er · remote
https://github.com/Y4er/WebLogic-Shiro-shell

This repository contains functional exploit code for CVE-2020-2883, a deserialization vulnerability in WebLogic. It includes detailed technical analysis, proof-of-concept code for Java deserialization attacks, and memory shell injection techniques.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Network access to vulnerable WebLogic server · Java runtime environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 176 stars
by Y4er · remote
https://github.com/Y4er/CVE-2020-2883

This repository contains a functional exploit for CVE-2020-2883, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages a crafted PriorityQueue with a ChainedExtractor to achieve remote code execution (RCE) by manipulating serialized objects.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Network access to the target WebLogic Server · T3 protocol access on port 7001
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 15 stars
by MagicZer0 · poc
https://github.com/MagicZer0/Weblogic_CVE-2020-2883_POC

This repository contains functional exploit code for CVE-2020-2883, a deserialization vulnerability in Oracle WebLogic. It includes two distinct gadget chains (Gadget1 and Gadget2) that leverage Java deserialization to achieve remote code execution (RCE) via crafted payloads.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Access to a vulnerable WebLogic server · Ability to send crafted T3 protocol requests
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 5 stars
by Al1ex · remote
https://github.com/Al1ex/CVE-2020-2883

This repository contains functional exploit code for CVE-2020-2883, a deserialization vulnerability in Oracle WebLogic Server. It includes two distinct gadget chains leveraging PriorityQueue and Tangosol extractors to achieve remote code execution (RCE) via crafted T3 protocol payloads.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (versions affected by CVE-2020-2883)
No auth needed
Prerequisites: Network access to WebLogic T3 port (default 7001) · Vulnerable WebLogic Server version
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 2 stars
by FancyDoesSecurity · remote-auth
https://github.com/FancyDoesSecurity/CVE-2020-2883

This repository contains a functional exploit for CVE-2020-2883, a deserialization vulnerability in Oracle Coherence. The exploit sends a crafted T3 protocol payload to achieve remote code execution (RCE) on vulnerable Oracle Coherence servers.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Coherence (versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0)
No auth needed
Prerequisites: Network access to the target Oracle Coherence server · T3 protocol access
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by Qynklee · remote
https://github.com/Qynklee/POC_CVE-2020-2883

This repository contains a functional exploit PoC for CVE-2020-2883, leveraging Java deserialization vulnerabilities in Oracle WebLogic Server. The exploit uses crafted gadget chains (e.g., BadAttributeValueExpException, PriorityQueue) to achieve remote code execution (RCE) via reflection and method invocation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Access to a vulnerable Oracle WebLogic Server instance · Network connectivity to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by ZZZWD · poc
https://github.com/ZZZWD/CVE-2020-2883

The repository contains only a minimal README with a CVE reference and version compatibility notes, lacking any exploit code or technical details.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Oracle WebLogic Server (versions 12.2.1.3 and 12.2.1.4)
No auth needed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Jang, Peterjson, Y4er, sfewer-r7 · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/oracle_access_manager_rce_cve_2021_35587.rb

This Metasploit module exploits an unauthenticated deserialization vulnerability in Oracle Access Manager (OAM) by sending a crafted XML payload to the OpenSSO Agent endpoint, leading to remote code execution. It includes version-specific gadget chains and supports multiple platforms (Linux, Windows, Unix).

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Access Manager (11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0)
No auth needed
Prerequisites: Network access to the OAM server (default port 14100) · Vulnerable version of Oracle Access Manager
devstral-2 · analyzed Apr 30, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/zzwlpx/weblogicPoc

This repository contains functional exploit code for CVE-2020-2551, a WebLogic IIOP deserialization vulnerability. The PoC includes Java-based exploit code that leverages RMI to achieve remote code execution on vulnerable WebLogic servers.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server 10.3.6
No auth needed
Prerequisites: Java environment matching the target WebLogic version · Access to the target WebLogic server's IIOP port · RMI server hosting malicious payload
devstral-2 · analyzed Feb 25, 2026 Full analysis →
vulncheck_xdb SCANNER
remote
https://github.com/0xn0ne/weblogicScanner

This repository contains a Python-based scanner for detecting multiple WebLogic vulnerabilities, including CVE-2020-2883. It checks for the presence of vulnerable modules but does not include exploit code for achieving remote code execution or other offensive actions.

Classification
Scanner 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: network access to target WebLogic server · Python 3.6 or higher
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Quynh Le, Y4er, Shelby Pace, Steve Embling · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/weblogic_deserialize_badattr_extcomp.rb

This Metasploit module exploits a Java deserialization vulnerability (CVE-2020-2883) in Oracle WebLogic Server by sending a malicious serialized `BadAttributeValueExpException` object over the T3 protocol. It achieves unauthenticated remote code execution by leveraging an `ExtractorComparator` to trigger arbitrary method invocation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0)
No auth needed
Prerequisites: Network access to WebLogic T3 port (default 7001) · Vulnerable WebLogic version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Oracle WebLogic Server - Remote Code Execution
CRITICALVERIFIEDby daffainfo
Shodan: product:"oracle weblogic"

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.9437
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2025-01-07
VulnCheck KEV 2020-04-30
InTheWild.io 2020-05-04
ENISA EUVD EUVD-2020-22676
Status published
Products (4)
oracle/weblogic_server 10.3.6.0.0
oracle/weblogic_server 12.1.3.0.0
oracle/weblogic_server 12.2.1.3.0
oracle/weblogic_server 12.2.1.4.0
Published Apr 15, 2020
KEV Added Jan 07, 2025
Tracked Since Feb 18, 2026