CVE-2018-2893

CRITICAL EXPLOITED IN THE WILD NUCLEI

Oracle WebLogic Server <12.2.1.3 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-2893 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 9 public exploits from researchers including pyn3rd, qianl0ng, bigsizeme. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2018-2893, a deserialization vulnerability in Oracle WebLogic Server. It uses ysoserial to generate a malicious payload and sends it via a crafted T3 protocol request to achieve remote code execution.

Description

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (9)

nomisec WORKING POC 104 stars
by pyn3rd · remote
https://github.com/pyn3rd/CVE-2018-2893

This PoC exploits CVE-2018-2893, a deserialization vulnerability in Oracle WebLogic Server. It uses ysoserial to generate a malicious payload and sends it via a crafted T3 protocol request to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (versions affected by CVE-2018-2893)
No auth needed
Prerequisites: ysoserial-cve-2018-2893.jar · network access to target WebLogic server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 47 stars
by qianl0ng · remote-auth
https://github.com/qianl0ng/CVE-2018-2893

This is a functional exploit for CVE-2018-2893, a deserialization vulnerability in Oracle WebLogic Server. It sends a crafted T3 protocol payload to achieve remote code execution (RCE) by establishing a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (12.2.1 and earlier)
No auth needed
Prerequisites: Network access to the target WebLogic Server · Target must be vulnerable to CVE-2018-2893
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SUSPICIOUS 17 stars
by bigsizeme · poc
https://github.com/bigsizeme/CVE-2018-2893

The repository claims to be a reverse shell generator for CVE-2018-2893 but lacks actual exploit code or technical details. The README suggests it is a tool for generating payloads but does not provide functional PoC code.

Classification
Suspicious 70%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Oracle WebLogic Server (claimed, but unverified)
No auth needed
Prerequisites: none specified
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 13 stars
by jas502n · remote
https://github.com/jas502n/CVE-2018-2893

This repository contains a working exploit for CVE-2018-2893, a deserialization vulnerability in Oracle WebLogic Server. The exploit sends a malicious payload to achieve remote code execution (RCE) via a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Network access to the target WebLogic Server · A vulnerable version of WebLogic Server (e.g., 12.2.1.3.0)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by ianxtianxt · remote
https://github.com/ianxtianxt/CVE-2018-2893

This Python script exploits CVE-2018-2893, a deserialization vulnerability in Oracle WebLogic Server. It sends a crafted T3 protocol payload to achieve remote code execution (RCE) by leveraging insecure deserialization.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server 12.2.1.3.0, 12.2.1.2.0, 12.2.1.1.0, 12.1.3.0.0
No auth needed
Prerequisites: Network access to the target WebLogic Server · T3 protocol enabled on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by artofwar344 · remote-auth
https://github.com/artofwar344/CVE-2018-2893

This PoC exploits CVE-2018-2893, a deserialization vulnerability in Oracle WebLogic Server. It uses ysoserial to generate a malicious payload and sends it via a crafted T3 protocol request to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: ysoserial-cve-2018-2893.jar · network access to target WebLogic server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Draven996 · poc
https://github.com/Draven996/CVE-2018-2893

This is a Python-based exploit for CVE-2018-2893, a deserialization vulnerability in Oracle WebLogic Server. The script performs a T3 handshake, sends a malicious payload, and checks for vulnerability confirmation.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Network access to the target WebLogic Server · T3 protocol enabled on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb SCANNER
remote
https://github.com/0xn0ne/weblogicScanner

This repository contains a Python-based scanner for detecting multiple WebLogic vulnerabilities, including CVE-2018-2893. It sends HTTP requests to check for the presence of vulnerabilities but does not include exploit code for achieving remote code execution or other offensive actions.

Classification
Scanner 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: network access to target WebLogic server
devstral-2 · analyzed Feb 25, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/sry309/CVE-2018-2893

This repository contains a functional Python exploit for CVE-2018-2893, a deserialization vulnerability in Oracle WebLogic Server. The script performs a T3 handshake, sends a crafted payload, and checks for vulnerability confirmation.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: network access to target WebLogic Server · T3 protocol enabled
devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

Oracle WebLogic Server - Remote Code Execution
CRITICALby milo2012
Shodan: product:"oracle weblogic" || http.title:"oracle peoplesoft sign-in"
FOFA: title="oracle peoplesoft sign-in"

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/104763
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041301

Scores

CVSS v3 9.8
EPSS 0.9428
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2018-07-20
InTheWild.io 2018-07-26
Status published
Products (4)
oracle/weblogic_server 10.3.6.0.0
oracle/weblogic_server 12.1.3.0.0
oracle/weblogic_server 12.2.1.2.0
oracle/weblogic_server 12.2.1.3
Published Jul 18, 2018
Tracked Since Feb 18, 2026