CVE-2016-0638

CRITICAL

Oracle WebLogic Server - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2016-0638. PoCs published by 0xn0ne, zhzhdoai, BabyTeam1024.

AI-analyzed exploit summary This repository contains a WebLogic vulnerability scanner that checks for multiple CVEs, including CVE-2018-2628. It is a Python-based tool designed to detect vulnerabilities in Oracle WebLogic Server by sending crafted requests and analyzing responses.

Description

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, 12.1.3, and 12.2.1 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Java Messaging Service.

Exploits (3)

nomisec SCANNER 2,072 stars
by 0xn0ne · poc
https://github.com/0xn0ne/weblogicScanner

This repository contains a WebLogic vulnerability scanner that checks for multiple CVEs, including CVE-2018-2628. It is a Python-based tool designed to detect vulnerabilities in Oracle WebLogic Server by sending crafted requests and analyzing responses.

Classification
Scanner 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Network access to the target WebLogic Server · Python 3.6 or higher
devstral-2 · analyzed Feb 15, 2026 Full analysis →
nomisec WORKING POC 17 stars
by zhzhdoai · poc
https://github.com/zhzhdoai/Weblogic_Vuln

This repository contains proof-of-concept exploits for multiple WebLogic vulnerabilities, including CVE-2015-4852, which leverages Java deserialization via Apache Commons Collections to achieve remote code execution. The PoC generates a serialized payload that, when deserialized, executes arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (versions affected by CVE-2015-4852, CVE-2016-0638, CVE-2016-3510, CVE-2019-2890)
No auth needed
Prerequisites: Network access to vulnerable WebLogic T3 interface · Apache Commons Collections library for payload generation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by BabyTeam1024 · poc
https://github.com/BabyTeam1024/CVE-2016-0638

This repository contains a functional exploit for CVE-2016-0638, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages the T3 protocol to achieve remote code execution (RCE) by installing an RMI backdoor and executing arbitrary commands.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Network access to the target WebLogic Server · T3 protocol enabled on the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory x_refsource_misc
https://www.tenable.com/security/research/tra-2016-09
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1035615

Scores

CVSS v3 9.8
EPSS 0.7667
EPSS Percentile 99.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

Status published
Products (4)
oracle/weblogic_server 10.3.6.0.0
oracle/weblogic_server 12.1.2.0.0
oracle/weblogic_server 12.1.3.0.0
oracle/weblogic_server 12.2.1.0.0
Published Apr 21, 2016
Tracked Since Feb 18, 2026