What is the CVSS score of CVE-2017-10271?

CVE-2017-10271 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 94.4%.

Which versions of Oracle are affected by CVE-2017-10271?

CVE-2017-10271 presents notable security risk, a missing authentication vulnerability rated CVSS 7.5.. A patch is available.

Is there a public PoC exploit available for CVE-2017-10271?

Yes, a public proof-of-concept exploit is available for CVE-2017-10271. Prioritise patching immediately. EPSS: 94.4%.

How to fix or mitigate CVE-2017-10271?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Audit authentication configurations and rotate any potentially compromised credentials.

Oracle CVE-2017-10271

HIGH

Missing Authentication for Critical Function (CWE-306)

2017-10-19 secalert_us@oracle.com

Authentication Bypass Oracle

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 21, 2026 - 15:22 vuln.today

cvss_changed

Analysis Generated

Mar 26, 2026 - 11:18 vuln.today

Added to CISA KEV

Oct 22, 2025 - 00:16 cisa

CISA KEV

PoC Detected

Oct 22, 2025 - 00:16 vuln.today

Public exploit code

Patch released

Oct 22, 2025 - 00:16 nvd

Patch available

CVE Published

Oct 19, 2017 - 17:29 nvd

HIGH 7.5

DescriptionNVD

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

AnalysisAI

Oracle WebLogic Server allows unauthenticated remote code execution through the WLS Security component's T3 protocol, massively exploited for cryptocurrency mining and botnet recruitment from 2017 onward.

Technical ContextAI

The CWE-306 missing authentication vulnerability in WebLogic's T3 protocol handler allows unauthenticated attackers to send crafted XML payloads containing XMLDecoder deserialization gadgets. The server processes the untrusted XML, leading to arbitrary command execution as the WebLogic service account.

RemediationAI

Apply Oracle Critical Patch Update. Restrict T3 protocol access via network filtering. Deploy WebLogic's T3 connection filter to limit access to trusted hosts only. Disable XMLDecoder-based deserialization.

More from same product – last 7 days

CVE-2026-46840 CRITICAL Act Now

10.0 May 28

Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to c

CVE-2026-46775 CRITICAL Act Now

9.9 May 28

Takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by a low-privileged remote att

CVE-2026-46822 CRITICAL Act Now

9.9 May 28

Account takeover in Oracle iAssets (part of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privil

CVE-2026-46824 CRITICAL Act Now

9.9 May 28

Account takeover in Oracle Universal Work Queue (component: Work Provider Site Level Administration) within Oracle E-Bus

CVE-2026-46839 CRITICAL Act Now

9.9 May 28

Privilege escalation to full takeover in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-pr

CVE-2017-10271 vulnerability details – vuln.today

Back

Oracle CVE-2017-10271

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code