Unauthenticated RCE in Oracle WebLogic Server Console
CVE-2020-14750 is an easily exploitable vulnerability in the Console component of Oracle WebLogic Server affecting supported versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. The provided content states that the issue is reachable over HTTP by an unauthenticated attacker and is associated with a path traversal condition that can expose or bypass protections around the WebLogic administrative console. The referenced reporting further indicates that this access can be leveraged for unauthenticated remote code execution, and Oracle characterizes successful exploitation as resulting in takeover of Oracle WebLogic Server.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository provides a Bash-based proof-of-concept (PoC) exploit and a detection script for Oracle WebLogic vulnerabilities CVE-2020-14750 and CVE-2020-14882. The main exploit script, 'CVE-2020-14750.sh', takes a target host:port and a command to execute, then crafts a POST request to the vulnerable WebLogic endpoint '/console/css/%252e%252e%252fconsole.portal'. The payload is a serialized MVEL expression that leverages Java reflection to execute the supplied command on the server, returning the output in the HTTP response. The detection script, 'test-CVE-2020-14750.sh', automates checking if the exploit is successful by running a benign command and analyzing the response. The repository is operational, providing both exploitation and detection capabilities for the specified CVEs. No hardcoded IPs or domains are present; the target is supplied by the user at runtime.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A related Oracle WebLogic Server path traversal vulnerability used for initial access; described as essentially the same as CVE-2020-14882 but with a more comprehensive fix, enabling admin console access and unauthenticated remote code execution when exploited.
An Oracle WebLogic Server vulnerability that allows an unauthenticated attacker to access the Oracle WebLogic server; the content says Oracle's October 2020 patch bundle includes a fix and updates should be applied immediately.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.