CVE-2015-4852

CRITICAL KEV

Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, 12.2.1.0 - Remote Code Execution via T3 Protocol Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2015-4852 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 11 public exploits from researchers including Metasploit, SlidingWindow, Nikhil Sreekumar, including a Metasploit module exploits/multi/misc/weblogic_deserialize_rawobject.

AI-analyzed exploit summary This Metasploit module exploits CVE-2015-4852, an unauthenticated deserialization vulnerability in Oracle WebLogic Server's T3 interface. It sends a crafted serialized object to execute arbitrary code on vulnerable hosts.

Description

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.

Exploits (11)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/46628

This Metasploit module exploits CVE-2015-4852, an unauthenticated deserialization vulnerability in Oracle WebLogic Server's T3 interface. It sends a crafted serialized object to execute arbitrary code on vulnerable hosts.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (versions 10.3.6.0, 12.1.2.0, 12.1.3.0, 12.2.1.0 and below)
No auth needed
Prerequisites: Network access to the Oracle WebLogic Server T3 interface (default port 7001)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC
by SlidingWindow · pythonremotejava
https://www.exploit-db.com/exploits/42806

This exploit targets a Java deserialization vulnerability in Oracle WebLogic Server (CVE-2015-4852). It sends a crafted T3 protocol payload containing a serialized object that triggers remote code execution, specifically causing the target to send ICMP echo requests to the attacker's machine.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server versions 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0
No auth needed
Prerequisites: Network access to the target WebLogic Server · T3 protocol enabled on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Nikhil Sreekumar · bashremotemultiple
https://www.exploit-db.com/exploits/44552

This exploit targets CVE-2015-4852, a deserialization vulnerability in Symantec Endpoint Protection Manager. It crafts a malicious Java serialized payload to achieve remote code execution (RCE) via HTTP/HTTPS requests.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Symantec Endpoint Protection Manager (versions prior to 12.1 RU6 MP5)
No auth needed
Prerequisites: Network access to the target's management interface · Target must be running a vulnerable version of Symantec Endpoint Protection Manager
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 31 stars
by roo7break · remote
https://github.com/roo7break/serialator

This repository contains a Python-based exploit for CVE-2015-4852, which targets deserialization vulnerabilities in multiple applications (Websphere, JBoss, OpenNMS, Symantec Endpoint Protection Manager). The exploit includes a serialized payload for remote code execution (RCE) and an ICMP listener for vulnerability testing.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Websphere, JBoss, OpenNMS, Symantec Endpoint Protection Manager
No auth needed
Prerequisites: Network access to vulnerable application · Python 3 environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 17 stars
by zhzhdoai · remote
https://github.com/zhzhdoai/Weblogic_Vuln

This repository contains proof-of-concept exploits for multiple WebLogic vulnerabilities, including CVE-2015-4852, which leverages Java deserialization via Apache Commons Collections to achieve remote code execution. The PoC generates a serialized payload that, when deserialized, executes arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (versions affected by CVE-2015-4852, CVE-2016-0638, CVE-2016-3510, CVE-2019-2890)
No auth needed
Prerequisites: Network access to vulnerable WebLogic T3 interface · Apache Commons Collections library for payload generation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 6 stars
by Y5neKO · pythonpoc
https://github.com/Y5neKO/ExpAndPoc_Collection/tree/main/CVE-2015-4852

This repository contains a functional exploit for CVE-2015-4852, a deserialization vulnerability in Oracle WebLogic Server. The exploit uses a crafted T3 protocol payload to achieve remote code execution by leveraging the ysoserial tool to generate malicious serialized objects.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: ysoserial tool to generate payload · network access to target WebLogic Server
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec SCANNER 2 stars
by AndersonSingh · poc
https://github.com/AndersonSingh/serialization-vulnerability-scanner

This repository contains a scanner for detecting Oracle WebLogic Server versions vulnerable to CVE-2015-4852, a deserialization vulnerability. It includes two scripts: one using Nmap for version detection and another using custom socket connections to identify vulnerable versions.

Classification
Scanner 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (versions 10.3.6.0, 12.1.2.0, 12.1.3.0, 12.2.1.0)
No auth needed
Prerequisites: Network access to target WebLogic servers · Target servers running vulnerable versions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by nex1less · remote
https://github.com/nex1less/CVE-2015-4852

This PoC exploits CVE-2015-4852, a deserialization vulnerability in Oracle WebLogic Server, by sending a crafted T3 protocol request with a malicious serialized payload generated via ysoserial. It establishes a reverse shell to a specified listener.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (T3 protocol)
No auth needed
Prerequisites: ysoserial.jar in the same directory · network access to target WebLogic Server · listener setup for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://gitlab.com/milo2012/cve-2015-4852

This repository contains a functional exploit for CVE-2015-4852, a deserialization vulnerability in Oracle WebLogic Server. The exploit crafts a malicious T3 protocol payload to achieve remote code execution (RCE) by leveraging insecure deserialization.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server 12.2.1
No auth needed
Prerequisites: Network access to the target WebLogic Server · T3 protocol enabled on the target
devstral-2 · analyzed Feb 25, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/minhangxiaohui/Weblogic_direct_T3_Rces

This repository contains a functional Java-based exploit for CVE-2015-4852, leveraging T3 protocol deserialization to achieve remote code execution on WebLogic servers. The exploit constructs a malicious payload using Apache Commons Collections and sends it via T3 protocol to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Network access to the target WebLogic server · T3 protocol enabled on the target
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Andres Rodriguez · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb

This Metasploit module exploits a deserialization vulnerability in Oracle WebLogic Server (CVE-2015-4852) by sending a malicious serialized object over the T3 protocol to achieve remote code execution. The exploit supports multiple platforms (Unix, Windows, Solaris) and includes a T3 handshake for protocol negotiation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (versions 10.3.6.0, 12.1.2.0, 12.1.3.0, 12.2.1.0 and below)
No auth needed
Prerequisites: Network access to the WebLogic T3 interface (default port 7001) · Vulnerable WebLogic version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (16)

Core 16
Core References
Broken Link vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038292
Broken Link vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/77539
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/11/17/19
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42806/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46628/

Scores

CVSS v3 9.8
EPSS 0.9295
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2020-10-20
InTheWild.io 2021-07-23
CWE
CWE-502
Status published
Products (6)
oracle/storagetek_tape_analytics_sw_tool 2.3
oracle/virtual_desktop_infrastructure < 3.5.2
oracle/weblogic_server 10.3.6.0.0
oracle/weblogic_server 12.1.2.0.0
oracle/weblogic_server 12.1.3.0.0
oracle/weblogic_server 12.2.1.0.0
Published Nov 18, 2015
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026