CVE-2020-14644

CRITICAL KEV NUCLEI

Oracle WebLogic Server <14.1.1.0.0 - RCE

Title source: llm

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (1)

nomisec WORKING POC 2 stars

by 0xkami · poc

https://github.com/0xkami/cve-2020-14644

View Code ZIP pw:eip

Nuclei Templates (1)

Oracle WebLogic Server - Remote Code Execution (Insecure Deserialization)

CRITICALby hnd3884

Shodan: cpe:"cpe:2.3:a:oracle:weblogic_server" || product:"WebLogic" || http.server:"WebLogic" || port:7001

FOFA: product="WebLogic" || header="WebLogic Server"

References (2)

[Vendor Advisory] https://www.oracle.com/security-alerts/cpujul2020.html

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-14644

Scores

CVSS v3 9.8

EPSS 0.9364

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2024-09-18

VulnCheck KEV 2024-09-18

InTheWild.io 2024-09-18

ENISA EUVD EUVD-2020-6780

Status published

Products (3)

oracle/weblogic_server 12.2.1.3.0

oracle/weblogic_server 12.2.1.4.0

oracle/weblogic_server 14.1.1.0.0

Published Jul 15, 2020

KEV Added Sep 18, 2024

Tracked Since Feb 18, 2026