Vulnerability detail
Enriched intelligence for a single CVE
High
CVE-2019-2725
PUBLISHEDVulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are...
- Vendor
- Oracle Corporation
- Product
- Tape Library ACSLS
- Published
- Apr 26, 2019
- EPSS
- —
Description
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVSS scores
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SSVC decision points
- Exploitation
- active
- Automatable
- Yes
- Technical impact
- partial
References
- http://www.securityfocus.com/bid/108074
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html
- https://support.f5.com/csp/article/K90059138
- https://www.exploit-db.com/exploits/46780/
- http://packetstormsecurity.com/files/152756/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/alert-cve-2019-2725.html#AppendixFMW
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA | Jan 10, 2022 |
| CISA | Jan 10, 2022 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-2725.yaml | Apr 25, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
metasploit · Created Unknown
Metasploit module for CVE-2019-2725
github · Created 2019-08-23 01:42:57 UTC · 47 stars
WebLogic Insecure Deserialization - CVE-2019-2725 payload builder & exploit
github · Created 2019-06-16 06:17:09 UTC · 11 stars
CVE-2019-2725 bypass pocscan and exp
github · Created 2019-06-11 00:49:56 UTC · 2 stars
github · Created 2019-06-10 05:12:44 UTC · 190 stars
CVE-2019-2725命令回显+webshell上传+最新绕过
github · Created 2019-05-05 08:34:20 UTC · 2 stars
github · Created 2019-05-02 21:09:36 UTC · 1 stars
github · Created 2019-04-28 02:18:42 UTC · 11 stars
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Exploit Used in Malware
-
Added to KEVIntel
-
Added to KEVIntel
-
Detected by Nuclei
-
Detected by Metasploit