CVE-2017-3506

HIGH KEV NUCLEI

Oracle WebLogic Server 10.3.6.0, 12.1.3.0, 12.2.1.0-12.2.1.2 - Unauthenticated OS Command Injection via HTTP

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2017-3506 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 3, 2024. EIP tracks 3 public exploits from researchers including Al1ex, ianxtianxt. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2017-3506, a WebLogic XMLDecoder deserialization vulnerability. It includes functionality to check for vulnerability and execute a reverse shell by uploading a JSP file.

Description

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Exploits (3)

nomisec WORKING POC 10 stars
by Al1ex · poc
https://github.com/Al1ex/CVE-2017-3506

This repository contains a proof-of-concept exploit for CVE-2017-3506, a WebLogic XMLDecoder deserialization vulnerability. It includes functionality to check for vulnerability and execute a reverse shell by uploading a JSP file.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Network access to the target WebLogic server · Java runtime environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec NO CODE 3 stars
by ianxtianxt · poc
https://github.com/ianxtianxt/CVE-2017-3506
vulncheck_xdb SCANNER
remote
https://github.com/0xn0ne/weblogicScanner

This repository contains a Python-based scanner for detecting multiple WebLogic vulnerabilities, including CVE-2017-3506. It checks for the presence of vulnerabilities but does not exploit them.

Classification
Scanner 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: network access to target WebLogic server
devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

Oracle Fusion Middleware Weblogic Server - Remote OS Command Execution
HIGHby pdteam
Shodan: http.title:"oracle peoplesoft sign-in" || product:"oracle weblogic"
FOFA: title="oracle peoplesoft sign-in"

References (4)

Core 4
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038296
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97884

Scores

CVSS v3 7.4
EPSS 0.9441
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2024-06-03
VulnCheck KEV 2023-05-16
InTheWild.io 2018-01-02
ENISA EUVD EUVD-2017-12627
CWE
CWE-78
Status published
Products (10)
oracle/weblogic_server 10.3.6.0.0
oracle/weblogic_server 12.1.3.0.0
oracle/weblogic_server 12.2.1.0.0
oracle/weblogic_server 12.2.1.1.0
oracle/weblogic_server 12.2.1.2.0
Oracle Corporation/WebLogic Server 10.3.6.0
Oracle Corporation/WebLogic Server 12.1.3.0
Oracle Corporation/WebLogic Server 12.2.1.0
Oracle Corporation/WebLogic Server 12.2.1.1
Oracle Corporation/WebLogic Server 12.2.1.2
Published Apr 24, 2017
KEV Added Jun 03, 2024
Tracked Since Feb 18, 2026