CVE-2018-3191

CRITICAL

Oracle WebLogic Server <12.2.1.3 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2018-3191. PoCs published by jas502n, Libraggbond, mackleadmire.

AI-analyzed exploit summary This repository contains a working proof-of-concept exploit for CVE-2018-3191, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages the T3 protocol to send a malicious payload, resulting in remote code execution (RCE) on vulnerable systems.

Description

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (5)

nomisec WORKING POC 68 stars
by jas502n · poc
https://github.com/jas502n/CVE-2018-3191

This repository contains a working proof-of-concept exploit for CVE-2018-3191, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages the T3 protocol to send a malicious payload, resulting in remote code execution (RCE) on vulnerable systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (versions 10.3.6.0, 12.2.1.3, 12.2.1.0, 12.1.3.0, 12.2.1.1)
No auth needed
Prerequisites: Access to a vulnerable WebLogic Server instance · Network connectivity to the target server on the T3 protocol port (typically 7001)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 63 stars
by Libraggbond · poc
https://github.com/Libraggbond/CVE-2018-3191

This repository contains a working exploit for CVE-2018-3191, a deserialization vulnerability in Oracle WebLogic Server. The exploit uses ysoserial to generate a malicious payload and establishes a reverse shell via a JRMP listener.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3)
No auth needed
Prerequisites: ysoserial.jar · weblogic-spring-jndi-10.3.6.0.jar · access to target WebLogic Server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 17 stars
by mackleadmire · poc
https://github.com/mackleadmire/CVE-2018-3191-Rce-Exploit

This repository contains a functional exploit for CVE-2018-3191, targeting Oracle WebLogic Server via JNDI injection and RMI deserialization to achieve remote code execution (RCE). The exploit involves generating a malicious payload, hosting it on an RMI server, and triggering deserialization in WebLogic to execute arbitrary code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Access to a vulnerable WebLogic Server instance · Ability to host an RMI server and HTTP server for payload delivery · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by m00zh33 · poc
https://github.com/m00zh33/CVE-2018-3191

This repository provides a Java-based exploit for CVE-2018-3191, a JNDI injection vulnerability in Oracle WebLogic Server. The exploit leverages JNDI to achieve remote code execution by connecting to a malicious RMI server.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1, 12.2.1.3)
No auth needed
Prerequisites: Access to a vulnerable WebLogic Server instance · A malicious RMI server to host the exploit payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by arongmh · poc
https://github.com/arongmh/CVE-2018-3191

This repository provides a payload generator for CVE-2018-3191, a deserialization vulnerability in Oracle WebLogic Server. It generates JNDI payloads to exploit the vulnerability, allowing remote code execution.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1, 12.2.1.3)
No auth needed
Prerequisites: Access to a vulnerable WebLogic Server instance · Java runtime environment to execute the payload generator
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/105613
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041896

Scores

CVSS v3 9.8
EPSS 0.9202
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

Status published
Products (3)
oracle/weblogic_server 10.3.6.0.0
oracle/weblogic_server 12.1.3.0.0
oracle/weblogic_server 12.2.1.3.0
Published Oct 17, 2018
Tracked Since Feb 18, 2026