CVE-2019-2725

CVE Database · CVE-2019-2725

CVE-2019-2725

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

99.96%

Published

Apr 26, 2019

Modified

Oct 27, 2025

CISA Known Exploited Vulnerability

Added: 2022-01-10 · Due: 2022-07-10

Apply updates per vendor instructions.

Public PoC / Exploit (12)

All weaponized →

Exploit-DBOracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)Exploit-DBOracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCshack2/javaserializetools★513 GitHub PoClufeirider/CVE-2019-2725★433 GitHub PoCSkyBlueEternal/CNVD-C-2019-48814-CNNVD-201904-961★105 GitHub PoCblack-mirror/Weblogic★70 GitHub PoCpimps/CVE-2019-2725★52 GitHub PoCjiansiting/CVE-2019-2725★35 GitHub PoClasensio/cve-2019-2725★21 GitHub PoCkerlingcode/CVE-2019-2725★11

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-74

Affected Products (18)

oracle · agile_plmvulnerable

oracle · communications_converged_application_servervulnerable

oracle · peoplesoft_enterprise_peopletoolsvulnerable

oracle · storagetek_tape_analytics_sw_tool

References (17)

http://packetstormsecurity.com/files/152756/Oracle-Weblogic-Server-Deserialization-Remote-Code-Execution.html

Third Party AdvisoryVDB Entry