Exploit for Oracle WebLogic Server BadAttributeValueExpException deserialization CVE-2020-2555

Name: Exploit for Oracle WebLogic Server BadAttributeValueExpException deserialization CVE-2020-2555
Rating: 5 (160 reviews)

2020-05-27 | CVSS 7.5

## https://sploitus.com/exploit?id=SAINT:880C926D2511DE57F08789A66AFE11F2
Added: 05/27/2020  
CVE: [CVE-2020-2555](<https://vulners.com/cve/CVE-2020-2555>)  


### Background

[Oracle WebLogic Server](<http://www.bea.com/framework.jsp?CNT=index.htm&FP=/content/products/weblogic/>) (formerly BEA WebLogic Server) is a Java web application platform. 

### Problem

A Java object deserialization vulnerability in WebLogic allows unauthenticated remote code execution by sending a serialized `**BadAttributeValueExpException**` object over the T3 protocol. 

### Resolution

Apply the patch referenced in [Oracle Critical Patch Update Advisory - January 2020](<https://www.oracle.com/security-alerts/cpujan2020.html>). 

### References

<https://www.oracle.com/security-alerts/cpujan2020.html>  


### Limitations

Exploit works on Oracle WebLogic Server 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0 on Windows. 

### Platforms

Windows