Introduction - Engaging opening that highlights real impact and significance
Service outages in core middleware can bring critical business applications to a standstill. Oracle WebLogic Server, a backbone for enterprise Java workloads, is susceptible to a newly disclosed denial of service vulnerability that can be exploited remotely and without authentication.
Oracle WebLogic Server is a widely deployed Java EE application server used by large enterprises for hosting business-critical applications. It is a flagship product in Oracle's Fusion Middleware suite, with global adoption across finance, healthcare, telecom, and government sectors.
Technical Information
CVE-2025-61752 is a design defect in the HTTP/2 protocol handling of the Core component in Oracle WebLogic Server. The vulnerability allows an unauthenticated attacker with network access to send specially crafted HTTP/2 packets that cause the server to hang or crash repeatedly. The attack does not require any privileges or user interaction, and can be launched remotely over the network.
The vulnerability is characterized by the following CVSS v3.1 vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- AV:N: Attack is possible over the network
- AC:L: Low attack complexity
- PR:N: No privileges required
- UI:N: No user interaction required
- S:U: Scope is unchanged (impact is limited to the vulnerable component)
- C:N/I:N/A:H: No confidentiality or integrity impact, high availability impact
The root cause is a design flaw in the HTTP/2 implementation. While Oracle has not published packet-level details, the vulnerability is similar to previous HTTP/2 denial of service issues in WebLogic Server, such as CVE-2025-21549. Attackers can exploit the flaw by sending malformed or specially crafted HTTP/2 frames that trigger a hang or crash condition in the server's core processing logic. This can lead to a complete denial of service, requiring manual intervention or automated recovery to restore service.
No public code snippets or packet structures have been disclosed for this vulnerability. The issue specifically affects HTTP/2 protocol handling and does not impact other protocols or components.
Affected Systems and Versions (MUST BE SPECIFIC)
- Oracle WebLogic Server 14.1.1.0.0
- Oracle WebLogic Server 14.1.2.0.0
Only these versions are confirmed as affected. The vulnerability is present when the HTTP/2 protocol is enabled and accessible over the network. Other versions and configurations are not listed as affected in the available advisories.
Vendor Security History
Oracle has a documented history of protocol-related vulnerabilities in WebLogic Server. Notable recent issues include:
- CVE-2025-21549: HTTP/2 denial of service in WebLogic Server 14.1.1.0.0 (January 2025 CPU)
- CVE-2025-21535: Remote code execution via T3/IIOP in WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 (January 2025 CPU)
Oracle issues quarterly Critical Patch Updates (CPUs) and has responded to active exploitation in the past, such as with CVE-2025-61882 in Oracle E-Business Suite. Some protocol vulnerabilities have required multiple updates to fully address related issues.