CVE-2015-4852 is a critical unsafe deserialization vulnerability in the WLS Security component of Oracle WebLogic Server affecting 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0. Oracle’s description states that remote attackers can execute arbitrary commands by sending a crafted serialized Java object in T3 protocol traffic to TCP port 7001. The issue is related to the bundled Apache Commons Collections library in oracle_common/modules/com.bea.core.apache.commons.collections.jar, enabling exploitation through a Java deserialization gadget chain. The vulnerability is remotely exploitable without authentication and is scoped to the WebLogic Server product.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository provides a Python-based exploit for CVE-2015-4852, a critical Java deserialization vulnerability affecting several enterprise applications (Websphere, JBoss, OpenNMS, Symantec Endpoint Protection Manager). The main script, 'serialator.py', allows the user to select the target application, specify the target host and port, and supply an arbitrary command to execute on the target. The exploit works by sending a malicious serialized Java object (payload) to the target application over HTTP, exploiting the deserialization flaw to achieve remote code execution. The script supports both exploitation (arbitrary command execution) and detection (by triggering a ping from the target to an attacker-controlled host). The included 'ICMPListener.py' script can be used to listen for incoming ICMP echo requests, which helps verify successful exploitation in detection mode. The repository is structured with a main exploit script, a listener script for detection, and a README providing usage instructions and background. No hardcoded network endpoints are present except for the default listener IP (0.0.0.0) in the ICMP listener. The exploit is operational and can be used for both vulnerability verification and actual exploitation, depending on the supplied command.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote code execution vulnerability in Oracle WebLogic Server involving Java deserialization.
Listed as an associated/observed CVE in the broader threat/IOC aggregation, without detail in the provided content.
A Java deserialization vulnerability in a widely used Java library that can allow remote code execution.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.