CVE-2019-2725

CVE-2019-2725 is a critical-severity vulnerability in Oracle Agile Plm with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-01-10). The underlying weakness is classified as CWE-74.

Key facts

Description

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE-2019-2725: Critical Oracle WebLogic Server Deserialization Vulnerability

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2019-2725
CVSS v3 9.8 (CRITICAL)
CVSS v2 7.5
EPSS 0.99964
KEV Yes (since 2022-01-10)
CWE CWE-74 (Injection)
Product Oracle WebLogic Server
Attack Vector Network / Unauthenticated

Summary

CVE-2019-2725 is a critical deserialization vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware. The flaw resides in the Web Services subcomponent and allows an unauthenticated attacker with network access to compromise the server via HTTP.

Background

Oracle WebLogic Server is a widely deployed Java EE application server used for enterprise applications. The vulnerability affects the Web Services component, which handles XML-based requests. In April 2019, Oracle published an out-of-band security alert for this vulnerability, indicating its severity and active exploitation risk.

Root Cause

The vulnerability is classified as CWE-74 (Injection). It stems from unsafe deserialization of input data within the WebLogic Web Services component. When an attacker sends a crafted serialized payload (often embedded in XML), the server deserializes it without adequate validation, leading to arbitrary code execution. This is a classic Java deserialization attack where untrusted data is passed to a deserializer that reconstructs objects, potentially invoking dangerous gadget chains.

Impact

  • CVSS 3.0 Score: 9.8 (CRITICAL)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Confidentiality: HIGH — attacker can access sensitive data
  • Integrity: HIGH — attacker can modify system data and configuration
  • Availability: HIGH — attacker can disrupt service or take down the server

Successful exploitation allows an unauthenticated remote attacker to take complete control of the Oracle WebLogic Server instance.

Exploitation Walkthrough

Attackers typically target exposed WebLogic endpoints by sending crafted HTTP requests containing malicious serialized payloads. These payloads exploit known Java deserialization gadget chains to execute arbitrary commands on the server.

Defensive Notes:

  • Network traffic to WebLogic HTTP/HTTPS ports should be monitored for unusually large POST bodies or XML payloads containing serialized objects.
  • Web Application Firewalls (WAFs) should be configured with rules to detect and block known deserialization exploit patterns.
  • Intrusion Detection Systems (IDS) can alert on signatures matching CVE-2019-2725 exploit attempts.

⚠️ Ethics Note: This section describes the attack vector at a generic, defensive level only. Do not use this information for unauthorized access or testing without explicit permission.

Affected and Patched Versions

Affected Oracle WebLogic Server versions:

  • 10.3.6.0.0
  • 12.1.3.0.0

Other affected Oracle products (bundling WebLogic):

  • Oracle Agile PLM (9.3.3, 9.3.4, 9.3.5)
  • Oracle Communications Converged Application Server (5.1, 7.0, 7.1)
  • Oracle PeopleSoft Enterprise PeopleTools (8.56, 8.57, 8.58)
  • Oracle VM VirtualBox (5.2.36 and earlier)
  • Oracle StorageTek Tape Analytics SW Tool (2.3)
  • Oracle Tape Library ACSLS (8.5)
  • Oracle Tape Virtual Storage Manager GUI (6.2)

Patched Versions: Oracle released out-of-band security updates. Administrators should apply the patches from Oracle Security Alert CVE-2019-2725 and subsequent CPU releases.

Remediation

  1. Apply Patches: Install the Oracle Critical Patch Update or security alert patches for CVE-2019-2725 as soon as possible.
  2. Network Segmentation: Restrict network access to WebLogic administration and application ports (e.g., 7001, 8001) to authorized hosts only.
  3. Web Application Firewall: Deploy WAF rules that detect and block deserialization attack payloads.
  4. Input Validation: Implement strict input validation on Web Services endpoints; reject unexpected serialized object types.
  5. Disable Unnecessary Endpoints: Disable or remove unused Web Services endpoints to reduce attack surface.

Detection

  • Monitor HTTP access logs for large POST requests to WebLogic endpoints.
  • Alert on connections from untrusted IP ranges to WebLogic ports.
  • Use SIEM correlation rules to detect known exploit indicators for CVE-2019-2725.
  • Review system logs for unexpected process execution or outbound connections from WebLogic server processes.

Assessment

CVE-2019-2725 carries an EPSS score of 0.99964 (99.96% probability of exploitation) and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog since 2022-01-10. The combination of unauthenticated remote exploitation, low attack complexity, and a CVSS 3.0 score of 9.8 makes this a priority patching item.

Key Lessons:

  1. Java deserialization vulnerabilities continue to be a high-impact attack vector in enterprise middleware.
  2. KEV-listed vulnerabilities with high EPSS scores demand immediate remediation within CISA-mandated timelines.
  3. Out-of-band security alerts from vendors like Oracle are strong indicators of active exploitation in the wild.

References

Frequently asked questions

What is CVE-2019-2725?
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
How severe is CVE-2019-2725?
CVE-2019-2725 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-2725 being actively exploited?
Yes. CVE-2019-2725 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-01-10, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-2725?
CVE-2019-2725 primarily affects Oracle Agile Plm. In total, 16 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2019-2725?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-2725 have an EU (EUVD) identifier?
Yes. CVE-2019-2725 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-12364. It is also flagged as exploited in the EUVD (since 2022-01-10).
When was CVE-2019-2725 published?
CVE-2019-2725 was published on 2019-04-26 and last updated on 2026-06-17.

References

Affected products (16)

More vulnerabilities in Oracle Agile Plm

All CVEs affecting Oracle Agile Plm →

Other CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities

Browse all CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities →