CVE-2025-21535 (CVSS 9.8): Vulnerability in Oracle WebLogic Server Could Lead to Remote Code Execution

Oracle has issued a critical security advisory addressing a high-severity vulnerability in WebLogic Server, identified as CVE-2025-21535. With a CVSS score of 9.8, this flaw could allow unauthenticated remote attackers to execute arbitrary code on targeted systems.

The flaw arises from WebLogic’s insufficient filtering of incoming data through the T3 and IIOP protocols. When either of these protocols is enabled, an attacker can send specially crafted requests to exploit the vulnerability, compromising the system. According to Oracle’s advisory, supported versions impacted include:

• 12.2.1.4.0
• 14.1.1.0.0

The CVE-2025-21535 vulnerability poses significant risks due to WebLogic’s widespread use as a Java EE application server. Known for its scalability and robust services—including Web servers, EJB containers, JMS message queues, and transaction management—WebLogic is a cornerstone in enterprise environments.

To address this critical vulnerability, Oracle has released patches that are available for download via their support portal. For those unable to apply the patch right away, Oracle has outlined temporary measures to mitigate the risks:

1. Restricting T3 Protocol Access

WebLogic Server provides a default connection filter (weblogic.security.net.ConnectionFilterImpl) that allows users to control access to T3 and T3s protocols. By configuring this filter, organizations can block unauthorized connections exploiting the T3 protocol.

2. Disabling the IIOP Protocol

Disabling the IIOP protocol can prevent exploitation via this vector. This can be achieved through the WebLogic console:

• Navigate to Service > AdminServer > Protocol.
• Unselect Enable IIOP.
• Restart the WebLogic Server for the changes to take effect.

Related Posts:

• CVE-2024-21216 (CVSS 9.8): Oracle WebLogic Flaw That Could Give Attackers Full Control
• Hackers target Oracle WebLogic Servers after the release of PoC code
• CVE-2024-21182: PoC Exploit Code Published for Severe WebLogic Flaw
• Hackers Aim at Vulnerable WebLogic Servers
• CISA Warns of Actively Exploited Apache, Microsoft, and Oracle Vulnerabilities

About The Author

Ddos

Ddos is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.

See author's posts