Skip to content
PortsDB

Port reference

Port 7001 (TCP) – Oracle WebLogic Server

Default HTTP/T3 listen port for Oracle WebLogic Server administration and applications.

tcpRegisteredCommonly attacked

Default state

Open by default on WebLogic installs, serving the admin console and T3 protocol. Repeatedly affected by critical unauthenticated remote code execution flaws.

Common attacks

  • Unauthenticated deserialization RCE via T3/IIOP and the console
  • Exploitation of CVE-2017-10271, CVE-2019-2725, CVE-2020-14882
  • Mass scanning to deploy cryptominers and webshells
  • Admin console brute-force and authentication bypass

CVE-2017-10271CVE-2020-14882

Hardening

  • Apply Oracle Critical Patch Updates promptly — WebLogic is a frequent RCE target
  • Never expose 7001 to the internet; restrict to trusted management networks
  • Filter or disable the T3/IIOP protocols if not required
  • Front WebLogic with a WAF and block access to known-vulnerable URIs
  • Run with least privilege, strong console credentials, and active monitoring

nmap snippet

nmap -p7001 --script weblogic-t3-info,http-vuln-cve2017-10271 <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 7001?

Port 7001 is the default listen port for Oracle WebLogic Server, a widely deployed Java EE application server. It serves the administration console, hosted applications over HTTP, and Oracle's T3 (and IIOP) remoting protocols. WebLogic is common in large enterprise and Oracle-stack environments, often behind business-critical applications.

Why it matters for security

WebLogic is notorious for a recurring stream of critical, unauthenticated deserialization vulnerabilities. Bugs like CVE-2017-10271, CVE-2019-2725, and CVE-2020-14882 allow remote code execution with no credentials. Because the server often runs with high privilege and hosts important apps, a single unpatched instance can mean full server compromise.

How it's attacked

Attackers fingerprint the server with weblogic-t3-info and probe for known flaws using scripts such as http-vuln-cve2017-10271. They send crafted T3/IIOP or HTTP payloads that trigger deserialization RCE, then deploy webshells and cryptominers. Exposed 7001 instances are mass-scanned within hours of each new advisory.

Hardening checklist

Apply Oracle Critical Patch Updates promptly — WebLogic is a frequent RCE target. Never expose 7001 to the internet; restrict it to trusted management networks. Filter or disable T3/IIOP if not required, front WebLogic with a WAF, and block known-vulnerable URIs. Run with least privilege, strong console credentials, and active monitoring. Use the nmap snippet above to check exposure on hosts you are authorized to test.

Related ports

Port 7002Port 8080Port 443Port 1521

Frequently asked questions

Why is Oracle WebLogic on port 7001 attacked so often?
WebLogic has had a long series of critical unauthenticated deserialization flaws — CVE-2017-10271, CVE-2019-2725, CVE-2020-14882 and more — that allow remote code execution. Exposed 7001 instances are mass-scanned and exploited within hours of disclosure.
What protocols does port 7001 expose?
7001 serves WebLogic's HTTP admin console and applications, plus the T3 (and IIOP) remoting protocols. T3 deserialization has been the root of several critical RCEs, so filter or disable it where it isn't needed.