CVE-2018-2894

CRITICAL EXPLOITED RANSOMWARE NUCLEI

Oracle WebLogic Server <12.2.1.3 - RCE

Title source: llm

Exploitation Summary

CVE-2018-2894 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 5 public exploits from researchers including LandGrey, k8gege, jas502n. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2018-2894, an unauthenticated arbitrary file upload vulnerability in Oracle WebLogic Server. It uploads a test file to a predictable path and verifies its presence, demonstrating the vulnerability.

Description

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services). Supported versions that are affected are 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (5)

nomisec WORKING POC 140 stars

by LandGrey · remote

https://github.com/LandGrey/CVE-2018-2894

View Code ZIP pw:eip

This PoC exploits CVE-2018-2894, an unauthenticated arbitrary file upload vulnerability in Oracle WebLogic Server. It uploads a test file to a predictable path and verifies its presence, demonstrating the vulnerability.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Oracle WebLogic Server

No auth needed

Prerequisites: Network access to the WebLogic Server administration interface · WebLogic Server with vulnerable endpoint exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 51 stars

by k8gege · remote

https://github.com/k8gege/PyLadon

View Code ZIP pw:eip

The repository contains a scanner tool (Ladon) with multiple modules, including a check for CVE-2018-2894 (WebLogic deserialization vulnerability). The CVE-2018-2894.py script verifies the presence of the vulnerability by checking the status code of a specific endpoint.

Classification

Scanner 90%

Attack Type

Deserialization

Complexity

Trivial

Reliability

Reliable

Target: Oracle WebLogic Server

No auth needed

Prerequisites: Network access to the target WebLogic server

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 18 stars

by jas502n · remote

https://github.com/jas502n/CVE-2018-2894

View Code ZIP pw:eip

This is a functional exploit for CVE-2018-2894, an arbitrary file upload vulnerability in Oracle WebLogic Server. The script automates the process of changing the work directory and uploading a JSP webshell to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Oracle WebLogic Server 12.2.1.3

No auth needed

Prerequisites: WebLogic Server with Web Service Test Page enabled · Network access to the target server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 15 stars

by 111ddea · remote

https://github.com/111ddea/cve-2018-2894

View Code ZIP pw:eip

This repository contains a Python script that exploits CVE-2018-2894, an arbitrary file upload vulnerability in Oracle WebLogic Server. The script uploads a malicious JSP file to a vulnerable endpoint and executes commands (e.g., 'whoami') to demonstrate remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Oracle WebLogic Server (versions affected by CVE-2018-2894)

No auth needed

Prerequisites: Network access to the WebLogic Server console · Vulnerable WebLogic Server instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb SCANNER

remote

https://github.com/0xn0ne/weblogicScanner

View Code ZIP pw:eip

This repository contains a Python-based scanner for detecting multiple WebLogic vulnerabilities, including CVE-2018-2894. It checks for the presence of vulnerable modules but does not exploit them.

Classification

Scanner 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Oracle WebLogic Server

No auth needed

Prerequisites: network access to target WebLogic server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

Oracle WebLogic Server - Remote Code Execution

CRITICALby geeknik,pdteam

Shodan: http.title:"oracle peoplesoft sign-in" || product:"oracle weblogic"

FOFA: title="oracle peoplesoft sign-in"

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/104763

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1041301

Patch, Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Scores

CVSS v3 9.8

EPSS 0.9429

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2019-01-08

Ransomware Use Confirmed

Status published

Products (4)

oracle/weblogic_server 10.3.6.0.0

oracle/weblogic_server 12.1.3.0.0

oracle/weblogic_server 12.2.1.2.0

oracle/weblogic_server 12.2.1.3

Published Jul 18, 2018

Tracked Since Feb 18, 2026