CVE-2020-14882# 🔴 CVE-2020-14882 — Oracle WebLogic Remote Code Execution (RCE)
<img width="1000" height="500" alt="68747470733a2f2f312e62702e626c6f6773706f742e636f6d2f2d484d416a577257703832672f58366a48483574346551492f41414141414141414c41592f53685f72544c72325056305650794b62585f467434676c4d493836536a42477051434c63424741735948512f7" src="https://github.com/user-attachments/assets/4c10c192-dc8a-4d63-934e-33efbfc88b2c" />
---
**CVE-2020-14882** is a **critical remote code execution (RCE) vulnerability** in **Oracle WebLogic Server**, a popular Java-based application server used for building and deploying enterprise applications.
Here are the key details:
---
### 🔍 **Basic Information**
* **CVE ID:** CVE-2020-14882
* **Published:** October 2020
* **CVSS v3 Score:** 9.8 (Critical)
* **Affected Product:** Oracle WebLogic Server
* **Affected Versions:**
* 10.3.6.0.0
* 12.1.3.0.0
* 12.2.1.3.0
* 12.2.1.4.0
* 14.1.1.0.0
---
### ⚙️ **Vulnerability Description**
CVE-2020-14882 exists due to **improper input validation** in the **WebLogic Server Administration Console** component.
An **unauthenticated attacker** can exploit this flaw **remotely over HTTP** by sending a specially crafted request to the vulnerable server.
If successful, the attacker gains **remote code execution (RCE)** privileges — allowing them to:
* Execute arbitrary commands on the host machine.
* Install backdoors or malware.
* Take full control of the affected WebLogic instance.
---
### 🧠 **Technical Overview**
* The issue resides in the **console component (`/console/`)** of WebLogic.
* It can be exploited via a **path traversal attack** — for example, by accessing:
<img width="1920" height="959" alt="CVE-2020-14882 oracle weblogic 2" src="https://github.com/user-attachments/assets/a3a8f6d8-afba-4289-865b-807b0aada173" />
```
/console/images/%252e%252e%252fconsole.portal
```
<img width="1920" height="959" alt="CVE-2020-14882 oracle weblogic 1" src="https://github.com/user-attachments/assets/00931b44-028d-41cc-aa11-e7a467ad6f6e" />
(This bypasses authentication by using double URL encoding.)
* Once the attacker reaches the admin interface without credentials, they can execute arbitrary Java or system commands.
<img width="1920" height="959" alt="CVE-2020-14882 oracle weblogic 3" src="https://github.com/user-attachments/assets/14c2c15e-0b79-4819-80af-07868bb615bd" />
<img width="1920" height="957" alt="CVE-2020-14882 oracle weblogic 4" src="https://github.com/user-attachments/assets/d5082380-016e-4dfb-a982-45f89b6b6f9a" />
<img width="1920" height="958" alt="CVE-2020-14882 oracle weblogic 5" src="https://github.com/user-attachments/assets/e9b022b3-0227-4461-815c-0a046780a767" />
---
### ⚠️ **Exploitation in the Wild**
* Shortly after disclosure, **working exploits were released publicly**.
* Attackers began using it to deploy **cryptominers, ransomware, and webshells**.
* Oracle later released **CVE-2020-14750**, which fixed a bypass of the original patch for CVE-2020-14882.
---
### 🛡️ **Mitigation & Fix**
* **Apply Oracle’s October 2020 Critical Patch Update (CPU)** immediately.
* **Restrict network access** to the WebLogic Admin Console (`/console/`) from untrusted networks.
* **Use Web Application Firewalls (WAF)** and **monitor logs** for suspicious encoded paths.
* Consider **upgrading WebLogic** to the latest supported version.
---
[4.0K] /data/pocs/5df759c424591107735abadcbc8b7f6a2f4393d2
├── [4.0K] CVE-2020-14882.py
└── [3.3K] README.md
1 directory, 2 files