Oracle WebLogic Server Console RCE via Authentication Bypass Chain
CVE-2020-14883 affects the Oracle WebLogic Server Console component in supported versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. Oracle describes it as an easily exploitable vulnerability that allows a high-privileged attacker with network access over HTTP to compromise WebLogic Server. The provided context further indicates that CVE-2020-14883 is commonly chained with CVE-2020-14882, which bypasses authentication on the administrative console, after which attackers reach console functionality and trigger remote code execution, including via Java deserialization-style payloads and crafted requests to console endpoints such as console.portal. In practice, the issue is widely referenced as part of the WebLogic console auth-bypass/RCE chain rather than as a fully standalone bug.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (5 hidden).
This repository contains a Python proof-of-concept exploit targeting Oracle WebLogic Server. The main file, 'weblogic.py', sends a crafted POST request to the '/console/images/%252E%252E%252Fconsole.portal' endpoint on the target server, attempting to exploit a vulnerability that allows remote code execution via the 'com.tangosol.coherence.mvel2.sh.ShellSession' class. The payload executes the 'ipconfig' command to fingerprint the operating system. The script checks the response for evidence of Windows OS and reports if the target is vulnerable. The README.md provides an example of a similar payload and a sample HTTP request. The exploit requires the attacker to specify the target's IP and port, and the target must be accessible over the network. No CVE is explicitly referenced, but the exploit is clearly aimed at WebLogic's remote code execution vulnerabilities.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical Oracle WebLogic Server remote code execution vulnerability affecting the administrative console and involving authentication bypass.
A known Oracle WebLogic Server vulnerability used by the 8220 Gang to compromise vulnerable WebLogic deployments and trigger execution of scripts that install cryptominers and supporting tooling (including K4Spreader and the Tsunami backdoor).
An Oracle WebLogic Server vulnerability leveraged (often chained with CVE-2020-14882) to enable remote code execution via maliciously crafted XML, used to deploy stealer and cryptominer malware.
A remote code execution vulnerability in Oracle WebLogic Server that allows remote authenticated attackers to execute code using a gadget chain.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.