CVE-2012-3153

EXPLOITED NUCLEI

Oracle Forms and Reports Remote Code Execution

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2012-3153 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Mekanismen, including a Metasploit module exploits/multi/http/oracle_reports_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Ruby script automates the exploitation of CVE-2012-3152 and CVE-2012-3153 in Oracle Reports 11.1 by uploading a malicious JSP payload to a vulnerable server. It enumerates keymaps, extracts server credentials, and leverages the 'showenv' endpoint to determine the local path for payload deployment.

Description

Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Servlet. NOTE: the previous information is from the October 2012 CPU. Oracle has not commented on claims from the original researcher that the PARSEQUERY function allows remote attackers to obtain database credentials via reports/rwservlet/parsequery, and that this issue occurs in earlier versions. NOTE: this can be leveraged with CVE-2012-3152 to execute arbitrary code by uploading a .jsp file.

Exploits (4)

exploitdb WORKING POC
by Mekanismen · rubyremotejsp
https://www.exploit-db.com/exploits/31253

This Ruby script automates the exploitation of CVE-2012-3152 and CVE-2012-3153 in Oracle Reports 11.1 by uploading a malicious JSP payload to a vulnerable server. It enumerates keymaps, extracts server credentials, and leverages the 'showenv' endpoint to determine the local path for payload deployment.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Reports 11.1
No auth needed
Prerequisites: Access to the target Oracle Reports server · A hosted JSP payload URL
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 8 stars
by Mekanismen · remote-auth
https://github.com/Mekanismen/pwnacle-fusion

This is a Ruby-based exploit for CVE-2012-3153 and CVE-2012-3152 targeting Oracle Reports. It automates the process of uploading a JSP payload to a vulnerable server via directory traversal and arbitrary file upload vulnerabilities.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Reports (unspecified version)
No auth needed
Prerequisites: Target URL must be vulnerable to CVE-2012-3153 and CVE-2012-3152 · Accessible payload URL hosting a JSP shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb SCANNER
remote
https://github.com/abq0/rwsploit

This repository contains a Python-based scanner for detecting and exploiting CVE-2012-3153 in Oracle Reports Server. It includes functionality for LFI, SSRF testing, and JSP shell upload, but does not contain a full exploit PoC.

Classification
Scanner 95%
Attack Type
Info Leak | Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Oracle Reports Server < v11
No auth needed
Prerequisites: Network access to the target Oracle Reports Server · rwservlet endpoint exposed
devstral-2 · analyzed Jun 05, 2026 Full analysis →
metasploit WORKING POC GREAT
rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/oracle_reports_rce.rb

This Metasploit module exploits CVE-2012-3153 in Oracle Forms and Reports to achieve remote code execution by leveraging directory traversal and arbitrary file write vulnerabilities to upload a JSP shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Forms and Reports 10.1
No auth needed
Prerequisites: Network access to the Oracle Reports server · Oracle Reports service exposed and vulnerable
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Oracle Forms & Reports RCE (CVE-2012-3152 & CVE-2012-3153)
MEDIUMby Sid Ahmed MALAOUI @ Realistic Security
Shodan: http.title:"weblogic" || http.html:"weblogic application server"
FOFA: title="weblogic" || body="weblogic application server"

References (8)

Core 8
Core References
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/79296
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/31253
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Jan/186
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/55961

Scores

EPSS 0.9165
EPSS Percentile 99.7%

Details

VulnCheck KEV 2025-06-07
Status published
Products (3)
oracle/fusion_middleware 11.1.1.4.0
oracle/fusion_middleware 11.1.1.6.0
oracle/fusion_middleware 11.1.2.0
Published Oct 16, 2012
Tracked Since Feb 18, 2026