CVE-2016-3510

CRITICAL NUCLEI

Oracle WebLogic Server - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2016-3510. PoCs published by Y5neKO, BabyTeam1024, Andres Rodriguez, including Metasploit module exploits/multi/misc/weblogic_deserialize_marshalledobject. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2016-3510, which targets a deserialization vulnerability in WebLogic Server. The exploit uses a crafted T3 protocol request to send a malicious serialized object, leading to remote code execution.

Description

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3586.

Exploits (3)

github WORKING POC 6 stars
by Y5neKO · pythonpoc
https://github.com/Y5neKO/ExpAndPoc_Collection/tree/main/CVE-2016-3510

This repository contains a functional exploit for CVE-2016-3510, which targets a deserialization vulnerability in WebLogic Server. The exploit uses a crafted T3 protocol request to send a malicious serialized object, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (versions affected by CVE-2016-3510)
No auth needed
Prerequisites: Network access to the target WebLogic Server · T3 protocol enabled on the target
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 1 stars
by BabyTeam1024 · poc
https://github.com/BabyTeam1024/CVE-2016-3510

This repository contains a functional exploit for CVE-2016-3510, a deserialization vulnerability in Oracle WebLogic Server. The exploit includes code to execute arbitrary commands, install a remote RMI instance for persistent access, and interact with the target system via a shell.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Network access to the WebLogic T3/T3S port · Vulnerable WebLogic Server version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC MANUAL
by Andres Rodriguez · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/weblogic_deserialize_marshalledobject.rb

This Metasploit module exploits a deserialization vulnerability in Oracle WebLogic Server (CVE-2016-3510) by sending a maliciously crafted MarshalledObject over the T3 protocol to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (versions 10.3.6.0, 12.1.3.0, 12.2.1.0 and below)
No auth needed
Prerequisites: Network access to the T3 interface (default port 7001) · Vulnerable WebLogic Server version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Oracle WebLogic Server Java Object Deserialization - Remote Code Execution
CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch
Shodan: product:"oracle weblogic" || http.title:"oracle peoplesoft sign-in"
FOFA: title="oracle peoplesoft sign-in"

References (5)

Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036373
Third Party Advisory x_refsource_misc
https://www.tenable.com/security/research/tra-2016-21
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/91787

Scores

CVSS v3 9.8
EPSS 0.9404
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

Status published
Products (3)
oracle/weblogic_server 10.3.6.0.0
oracle/weblogic_server 12.1.3.0.0
oracle/weblogic_server 12.2.1.0.0
Published Jul 21, 2016
Tracked Since Feb 18, 2026