CVE-2025-21535 – CVE-2025-21535 is a critical vulnerability in O... (How to Fix)

Q: What is the severity of CVE-2025-21535?

CVE-2025-21535 has a CVSS score of 9.8 (CRITICAL). CVE-2025-21535 is a critical vulnerability in Oracle WebLogic Server that allows unauthenticated attackers to remotely execute arbitrary code and completely compromise affected servers. The vulnerability affects WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0, and can be exploited via T3 or IIOP protocols without any authentication.

📋 TL;DR

CVE-2025-21535 is a critical vulnerability in Oracle WebLogic Server that allows unauthenticated attackers to remotely execute arbitrary code and completely compromise affected servers. The vulnerability affects WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0, and can be exploited via T3 or IIOP protocols without any authentication.

💻 Affected Systems

Products:

Oracle WebLogic Server

Versions: 12.2.1.4.0 and 14.1.1.0.0

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the Core component and affects default installations with T3/IIOP enabled.

📦 What is this software?

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover leading to data theft, ransomware deployment, lateral movement within the network, and persistent backdoor installation.

🟠

Likely Case

Remote code execution resulting in cryptocurrency mining, data exfiltration, or botnet recruitment.

🟢

If Mitigated

Limited impact if network segmentation, strict firewall rules, and authentication requirements are properly implemented.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation with CVSS 9.8 score makes internet-facing servers extremely vulnerable.

🏢 Internal Only: HIGH - Even internal servers are at high risk due to unauthenticated network access requirement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CVSS describes as 'easily exploitable' with network access via T3/IIOP protocols.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Critical Patch Update from January 2025 security advisory

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2025.html

Restart Required: Yes

Instructions:

1. Download the Critical Patch Update from Oracle Support. 2. Apply the patch following Oracle's patching procedures. 3. Restart WebLogic Server instances. 4. Verify patch application.

🔧 Temporary Workarounds

Block T3/IIOP Protocols

linux

Configure firewall rules to block T3 (port 7001) and IIOP (port 7002) traffic from untrusted networks.

iptables -A INPUT -p tcp --dport 7001 -j DROP
iptables -A INPUT -p tcp --dport 7002 -j DROP

Enable Authentication

all

Configure WebLogic to require authentication for T3 and IIOP connections.

🧯 If You Can't Patch

Isolate affected servers using network segmentation and strict firewall rules
Implement web application firewall (WAF) rules to detect and block exploit attempts

🔍 How to Verify

Check if Vulnerable:

Check WebLogic version using: java weblogic.version

Check Version:

java weblogic.version

Verify Fix Applied:

Verify patch application by checking version and reviewing Oracle patch logs

📡 Detection & Monitoring

Log Indicators:

Unusual T3/IIOP connection attempts
Unexpected process execution
Authentication bypass attempts

Network Indicators:

Unusual traffic on ports 7001/7002
Suspicious payloads in T3/IIOP protocols

SIEM Query:

source="weblogic.log" AND ("T3" OR "IIOP") AND ("error" OR "exception" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2025-21535

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

EPSS Score: 1.19% exploit probability (78.5th percentile)

Published: January 21, 2025

Last Updated: June 23, 2025

🔗 References

https://www.oracle.com/security-alerts/cpujan2025.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21535, you might also want to check these: