CVE-2016-0491

Oracle Application Testing Suite - Unspecified Vuln

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-0491. PoCs published by Metasploit, Zhou Yu.

AI-analyzed exploit summary This Metasploit module exploits an authentication bypass (CVE-2016-0492) and arbitrary file upload (CVE-2016-0491) in Oracle Application Testing Suite (OATS) 12.4.0.2.0 to upload and execute a JSP shell, achieving remote code execution.

Description

Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote attackers to affect integrity and availability via unknown vectors related to Load Testing for Web Apps. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that the UploadFileAction servlet allows remote authenticated users to upload and execute arbitrary files via an * (asterisk) character in the fileType parameter.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotejava
https://www.exploit-db.com/exploits/39852

This Metasploit module exploits an authentication bypass (CVE-2016-0492) and arbitrary file upload (CVE-2016-0491) in Oracle Application Testing Suite (OATS) 12.4.0.2.0 to upload and execute a JSP shell, achieving remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Application Testing Suite (OATS) <= 12.4.0.2.0
No auth needed
Prerequisites: Network access to the target OATS instance · OATS version <= 12.4.0.2.0
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Zhou Yu · pythonwebappsjsp
https://www.exploit-db.com/exploits/39691

This exploit bypasses authentication in Oracle Application Testing Suite 12.4.0.2.0 and uploads a JSP webshell, enabling remote command execution. It leverages a path traversal vulnerability to access the file upload endpoint without authentication.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Application Testing Suite 12.4.0.2.0
No auth needed
Prerequisites: Network access to the target · Target running Oracle Application Testing Suite 12.4.0.2.0
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/81169
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39852/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39691/
Third Party Advisory, VDB Entry x_refsource_misc
http://www.zerodayinitiative.com/advisories/ZDI-16-047
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1034734
Third Party Advisory, VDB Entry x_refsource_misc
http://www.rapid7.com/db/modules/exploit/multi/http/oracle_ats_file_upload

Scores

EPSS 0.8075
EPSS Percentile 99.6%

Details

Status published
Products (2)
oracle/application_testing_suite 12.4.0.2
oracle/application_testing_suite 12.5.0.2
Published Jan 21, 2016
Tracked Since Feb 18, 2026