Critical Apache Dubbo RCE (CVE‑2020‑1948): Threat Details & Fixes

0x01 Vulnerability Background

On June 23, 2020, 360CERT reported that Apache Dubbo issued an advisory for a remote code execution vulnerability (CVE‑2020‑1948) classified as high severity.

Apache Dubbo is a high‑performance, lightweight open‑source Java RPC framework offering three core capabilities: interface‑based remote method invocation, intelligent fault tolerance and load balancing, and automatic service registration and discovery.

The Dubbo Provider suffers from a deserialization flaw; attackers can send RPC requests with unrecognized service or method names and malicious payloads, which, when deserialized, lead to remote code execution.

The technical details of the vulnerability have been publicly disclosed.

360CERT recommends users promptly apply the latest patches, conduct asset self‑assessment, and implement preventive measures to avoid exploitation.

0x02 Risk Level

Threat level: High

Impact scope: Wide

0x03 Vulnerability Details

The Apache Dubbo Provider contains a deserialization vulnerability that allows attackers to execute remote code by sending malicious RPC payloads.

0x04 Affected Versions

Dubbo 2.7.0 – 2.7.6

Dubbo 2.6.0 – 2.6.7

Dubbo 2.5.x (no longer maintained)

0x05 Remediation Recommendations

General Fix Advice:

Users should upgrade to Dubbo 2.7.7 or later. Download link: https://github.com/apache/dubbo/releases/tag/dubbo-2.7.7.

0x06 Related Cyber Mapping Data

360 Security Brain’s Quake network mapping system shows extensive domestic usage of Dubbo, as illustrated below.

0x07 Product‑Side Solution

360 City‑Level Network Security Monitoring Service

The QUake asset mapping platform monitors such vulnerabilities; users should contact the relevant product team for appropriate solutions.

0x08 Timeline

2020‑06‑22: Apache Dubbo official announcement

2020‑06‑23: 360CERT warning released