Associated Vulnerability
Title:Oracle Fusion Middleware WebLogic Server 安全漏洞 (CVE-2020-2551)Description:Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Description
CVE-2020-2551
Readme
# 🌐 **CVE-2020-2551** Unauthenticated RCE in Oracle WebLogic Server via IIOP
<img width="900" height="500" alt="t01870efe86826eb5bc" src="https://github.com/user-attachments/assets/b3685cde-d5c3-41da-98c4-353099752b36" />
> **"A single IIOP packet can own your WebLogic server."**
> — *Security Researcher, 2020*
---
## 🎯 **Vulnerability Snapshot**
| **Attribute** | **Details** |
|---------------------------|-----------------------------------------------------------------------------|
| **CVE ID** | `CVE-2020-2551` |
| **Published** | January 15, 2020 |
| **CVSS v3.1** | **9.8 (Critical)** |
| **Vector** | `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
| **Component** | WLS Core – IIOP (T3/IIOP Listener) |
| **Exploitability** | Public PoCs, Actively Exploited in the Wild |
| **Patch** | Oracle January 2020 CPU |
---
```mermaid
graph TD
subgraph "CVE-2020-2551: WebLogic IIOP RCE"
A[🌐 **CVE-2020-2551**] --> B{Unauthenticated<br>Network Attack}
B -->|IIOP Request| C[📦 Malicious JNDI Payload]
C --> D[🔓 Insecure Deserialization]
D --> E[⚡ Remote Code Execution]
E --> F[🏴☠️ Full Server Compromise]
style A fill:#ff4d4d,stroke:#cc0000,color:#fff
style B fill:#ff9966,stroke:#cc4400
style C fill:#ffcc00,stroke:#cc9900
style D fill:#ff6666,stroke:#cc3333
style E fill:#cc0000,stroke:#990000,color:#fff
style F fill:#330000,stroke:#660000,color:#ffcccc
end
subgraph "Impact & CVSS"
G[CVSS 9.8<br>🔥 Critical]
H[Confidentiality: High]
I[Integrity: High]
J[Availability: High]
G --> H & I & J
style G fill:#cc0000,stroke:#990000,color:#fff
style H fill:#ff4d4d,stroke:#cc0000,color:#fff
style I fill:#ff4d4d,stroke:#cc0000,color:#fff
style J fill:#ff4d4d,stroke:#cc0000,color:#fff
end
subgraph "Exploitation Flow"
K[1. Craft IIOP Packet] --> L[2. Trigger JtaTransactionManager]
L --> M[3. JNDI Lookup to Attacker LDAP]
M --> N[4. Load Malicious Class]
N --> O[5. Execute Payload]
style K fill:#1a1a1a,stroke:#00ff00,color:#00ff00
style L fill:#1a1a1a,stroke:#00ff00,color:#00ff00
style M fill:#1a1a1a,stroke:#00ff00,color:#00ff00
style N fill:#1a1a1a,stroke:#00ff00,color:#00ff00
style O fill:#1a1a1a,stroke:#00ff00,color:#00ff00
end
A --> G
A --> K
```
---
## 🛡️ **Remediation Checklist**
```diff
+ [ ] Apply Oracle January 2020 Critical Patch Update
+ [ ] Disable IIOP if unused: -Dweblogic.iiop.enable=false
+ [ ] Block T3/IIOP ports (7001, 7002) from internet
+ [ ] Enable Java Deserialization Filter (JEP 290)
+ [ ] Upgrade to WebLogic 14.1.1+ (supported as of 2025)
- [ ] Unpatched 10.3.6 / 12.1.3 instances in production
```
---
## 📡 **Detection Signatures**
```yaml
# Example: Snort / Suricata Rule
alert tcp any any -> $HOME_NET 7001:7002 (msg:"CVE-2020-2551 WebLogic IIOP RCE Attempt";
content:"|49 49 4f 50|"; depth:4; # IIOP Magic
content:"JtaTransactionManager"; distance:0;
classtype:attempted-admin; sid:1000001; rev:1;)
```
<img width="1920" height="958" alt="CVE-2020-2551" src="https://github.com/user-attachments/assets/aeb4bca7-053e-47c8-a3f9-17dfc7c50039" />
---
## 🔗 **Key References**
| Source | Link |
|-------|------|
| **NVD** | [nvd.nist.gov/vuln/detail/CVE-2020-2551](https://nvd.nist.gov/vuln/detail/CVE-2020-2551) |
| **Oracle CPU** | [oracle.com/security-alerts/cpujan2020.html](https://www.oracle.com/security-alerts/cpujan2020.html) |
| **PoC (GitHub)** | [github.com/jas502n/CVE-2020-2551](https://github.com/jas502n/CVE-2020-2551) |
| **Technical Writeup** | [medium.com/@qazbnm456/cve-2020-2551](https://medium.com/@qazbnm456/cve-2020-2551-unauthenticated-remote-code-execution-in-iiop-protocol-via-malicious-jndi-lookup-119bac7c1eb2) |
---
> **🛑 Legacy WebLogic systems remain prime targets in 2025.**
> **Patch now or become a statistic.**
---
*Styled with clarity, urgency, and visual hierarchy for security teams, CISOs, and developers.*
*Built for Markdown, Mermaid, and terminal-friendly rendering.*
File Snapshot
[4.0K] /data/pocs/7eccb531307b720dfce531e0a0b79baf923027fc
└── [4.6K] README.md
1 directory, 1 file
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →