CVE-2017-10271

CVE-2017-10271 is a high-severity vulnerability in Oracle Weblogic Server with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-02-10). The underlying weakness is classified as CWE-306.

Key facts

Description

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVE-2017-10271: Oracle WebLogic Server WLS Security Unauthenticated Remote Compromise via T3

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2017-10271
CVSS v3 7.5 (High)
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS 0.99993
KEV Yes (CISA catalog, added 2022-02-10)
CWE CWE-306
Product Oracle WebLogic Server
Affected Versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0

Summary

A vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security) allows unauthenticated attackers with network access via the T3 protocol to compromise the server. Successful attacks can result in takeover of the affected WebLogic Server instance.

Background

Oracle WebLogic Server is a Java EE application server widely deployed in enterprise environments for hosting business-critical applications. The T3 protocol is Oracle's proprietary remote method invocation (RMI) protocol used for communication between WebLogic Server instances and clients. This vulnerability resides in the WLS Security subcomponent, which is responsible for authentication and authorization within the WebLogic domain.

Root Cause

CWE-306: Missing Authentication for Critical Function

The vulnerability stems from a missing authentication requirement for a critical function exposed through the T3 protocol. An attacker can access this functionality without presenting valid credentials, violating the security boundary between untrusted network clients and the server's internal security management interfaces. The lack of proper authentication checks allows the attacker to reach security-sensitive operations that should require administrative privileges or authenticated sessions.

Impact

The vulnerability is scored CVSS v3 7.5 (High) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

  • Attack Vector: Network (AV:N) — exploitable remotely
  • Attack Complexity: Low (AC:L) — no special conditions required
  • Privileges Required: None (PR:N) — unauthenticated exploitation
  • User Interaction: None (UI:N) — no victim interaction needed
  • Scope: Unchanged (S:U)
  • Availability Impact: High (A:H) — successful attacks severely impact availability

Notably, the Oracle description states that successful attacks can result in "takeover of Oracle WebLogic Server," while the CVSS v3 metrics only score availability impact as High. The CVSS v2 score is 5.0 with the vector AV:N/AC:L/Au:N/C:N/I:N/A:P.

Exploitation Walkthrough (Defensive Perspective)

From a defensive standpoint, exploitation proceeds as follows:

  1. Reconnaissance: The attacker identifies an exposed WebLogic Server instance listening on the T3 port (typically 7001/TCP or the T3S secure variant).
  2. Protocol Access: The attacker establishes a T3 protocol connection to the server. Because the vulnerable endpoint lacks authentication, the attacker can reach the affected WLS Security component without valid credentials.
  3. Security Boundary Bypass: Through the unauthenticated T3 channel, the attacker interacts with security management functions that should be restricted to authenticated administrative users.

Ethics caveat: This walkthrough is provided for defensive understanding only. No weaponized exploit code or step-by-step attack instructions are included. Security teams should use this knowledge to improve detection and hardening rather than for offensive operations.

Affected and Patched Versions

Affected versions (per NVD CPE data):

  • Oracle WebLogic Server 10.3.6.0.0
  • Oracle WebLogic Server 12.1.3.0.0
  • Oracle WebLogic Server 12.2.1.1.0
  • Oracle WebLogic Server 12.2.1.2.0

Patched versions: Oracle released security patches as part of the October 2017 Critical Patch Update. Organizations should consult Oracle Support for the specific patch release for their WebLogic Server version.

Remediation

  1. Apply Oracle patches: Install the relevant patch from Oracle's October 2017 CPU (Critical Patch Update) for your affected WebLogic Server version.
  2. Network segmentation: Restrict T3 traffic (port 7001/TCP by default) to trusted administrative hosts and server-to-server communication paths only. Do not expose T3 ports to untrusted networks or the internet.
  3. Disable T3 if unnecessary: If the T3 protocol is not required for your deployment, disable or block it at the network perimeter.
  4. Upgrade: Consider upgrading to a supported WebLogic Server version that includes the fix.

Detection

  • Network monitoring: Monitor for unexpected T3 protocol connections to WebLogic Server instances from unauthorized source IP addresses.
  • Authentication logs: Review security audit logs for anomalous access patterns to WLS Security management functions.
  • Traffic analysis: Look for large or unexpected payloads over T3 channels, which may indicate exploitation attempts.
  • CISA KEV: This vulnerability is tracked in the CISA Known Exploited Vulnerabilities catalog; ensure your vulnerability management program prioritizes KEV-listed CVEs.

Assessment

With an EPSS score of 0.99993 and a percentile of 0.99986, this vulnerability has an exceptionally high probability of being exploited in the wild. Its inclusion in the CISA KEV catalog (added 2022-02-10) and confirmed EU exploited status confirm active, real-world exploitation. The presence of multiple exploit-db entries and public proof-of-concept code further elevates the risk.

Key lessons:

  1. Attack surface reduction: Proprietary protocols like T3 should never be exposed to untrusted networks. Their security history is often less scrutinized than standard HTTP/HTTPS interfaces.
  2. Authentication as a non-negotiable control: Missing authentication on critical security functions is a fundamental design flaw that bypasses the entire security model. Every administrative and security-sensitive interface must require strong authentication.

References

Frequently asked questions

What is CVE-2017-10271?
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
How severe is CVE-2017-10271?
CVE-2017-10271 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2017-10271 being actively exploited?
Yes. CVE-2017-10271 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-02-10, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2017-10271?
CVE-2017-10271 primarily affects Oracle Weblogic Server. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2017-10271?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2017-10271 have an EU (EUVD) identifier?
Yes. CVE-2017-10271 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-1918. It is also flagged as exploited in the EUVD (since 2022-02-10).
When was CVE-2017-10271 published?
CVE-2017-10271 was published on 2017-10-19 and last updated on 2026-06-17.

References

Affected products (4)

More vulnerabilities in Oracle Weblogic Server

All CVEs affecting Oracle Weblogic Server →

Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities

Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →