CVE-2020-14756

CRITICAL EXPLOITED

Oracle Coherence <=14.1.1.0.0 - Unauthenticated Remote Code Execution via IIOP/T3

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-14756 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Y4er, somatrasss.

AI-analyzed exploit summary This repository contains a working PoC for CVE-2020-14756, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages the MvelExtractor class to achieve remote code execution (RCE) via crafted serialized data sent over the T3 protocol.

Description

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core Components). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (2)

nomisec WORKING POC 80 stars
by Y4er · remote
https://github.com/Y4er/CVE-2020-14756

This repository contains a working PoC for CVE-2020-14756, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages the MvelExtractor class to achieve remote code execution (RCE) via crafted serialized data sent over the T3 protocol.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server 12.2.1.4.0 (and likely others)
No auth needed
Prerequisites: Network access to WebLogic T3/IIOP port (typically 7001) · Vulnerable version of WebLogic Server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 12 stars
by somatrasss · poc
https://github.com/somatrasss/weblogic2021

This repository contains a Python script to scan for multiple WebLogic vulnerabilities, including CVE-2020-14756. The script checks for unauthenticated access to a specific path to determine vulnerability.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Network access to the target WebLogic Server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Patch, Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Patch, Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html

Scores

CVSS v3 9.8
EPSS 0.7475
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2024-11-20
Status published
Products (11)
oracle/coherence 3.7.1.0
oracle/coherence 12.1.3.0.0
oracle/coherence 12.2.1.3.0
oracle/coherence 12.2.1.4.0
oracle/coherence 14.1.1.0.0
oracle/utilities_framework 4.2.0.2.0
oracle/utilities_framework 4.2.0.3.0
oracle/utilities_framework 4.4.0.0.0
oracle/utilities_framework 4.4.0.2.0
oracle/utilities_framework 4.4.0.3.0
... and 1 more
Published Jan 20, 2021
Tracked Since Feb 18, 2026