CVE-2020-14883

HIGH KEV NUCLEI

Oracle WebLogic Server <14.1.1.0.0 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-14883 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 8 public exploits from researchers including 1n7erface, murataydemir, B1anda0, including a Metasploit module exploits/multi/http/weblogic_admin_handle_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository is a list of PoCs for various vulnerabilities, including CVE-2020-14883. It does not contain actual exploit code but references multiple vulnerabilities and their corresponding PoCs.

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Exploits (8)

nomisec WRITEUP 1,079 stars
by 1n7erface · poc
https://github.com/1n7erface/PocList

This repository is a list of PoCs for various vulnerabilities, including CVE-2020-14883. It does not contain actual exploit code but references multiple vulnerabilities and their corresponding PoCs.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Multiple (including Oracle WebLogic, Apache Solr, etc.)
No auth needed
Prerequisites: Access to the repository
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 13 stars
by murataydemir · remote
https://github.com/murataydemir/CVE-2020-14883

This repository provides multiple proof-of-concept exploits for CVE-2020-14883, an RCE vulnerability in Oracle WebLogic Server. The PoCs demonstrate command execution via deserialization and Spring context manipulation, targeting both Windows and Linux systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Oracle WebLogic Server (10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0)
No auth needed
Prerequisites: Network access to the target WebLogic Server · HTTP server to host malicious XML files for some PoCs
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 7 stars
by B1anda0 · remote
https://github.com/B1anda0/CVE-2020-14883

This repository contains a Python script for batch detection of CVE-2020-14883, a WebLogic authentication bypass vulnerability. The script checks for the presence of the vulnerability by sending a crafted request to a specified path and verifying the response.

Classification
Scanner 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Target IP addresses and port number
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by fan1029 · poc
https://github.com/fan1029/CVE-2020-14883EXP

This repository contains a functional exploit for CVE-2020-14883, targeting Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. The exploit leverages unauthenticated access to execute arbitrary commands via MVEL expression injection.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0)
No auth needed
Prerequisites: Network access to the WebLogic console · Vulnerable WebLogic version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by amacloudobia · infoleak
https://github.com/amacloudobia/CVE-2020-14883

This repository contains a Python script and a README demonstrating CVE-2020-14883, an RCE vulnerability in Oracle WebLogic Server. The exploit leverages MVEL expression injection to execute arbitrary commands.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Network access to the WebLogic Server console
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by Osyanina · poc
https://github.com/Osyanina/westone-CVE-2020-14883-scanner

This repository contains a scanner for CVE-2020-14883, an authentication bypass vulnerability in Oracle WebLogic Server. The scanner is designed to detect vulnerable instances by sending crafted HTTP requests.

Classification
Scanner 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Oracle WebLogic Server versions 10.3.6.0, 12.1.3.0, 12.2.1.3, 12.2.1.4, 14.1.1.0
No auth needed
Prerequisites: Network access to the target WebLogic Server · CVE-2020-14883.exe executable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb SCANNER
remote
https://github.com/0xn0ne/weblogicScanner

This repository contains a Python-based scanner for detecting multiple WebLogic vulnerabilities, including CVE-2020-14883. It sends HTTP requests to check for vulnerable endpoints but does not include exploit code for achieving RCE or other offensive actions.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: network access to WebLogic server · target server running vulnerable version
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by voidfyoo, Jang, wvu · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/weblogic_admin_handle_rce.rb

This Metasploit module exploits a path traversal and Java class instantiation vulnerability in Oracle WebLogic Server's Administration Console to achieve remote code execution. It supports multiple targets (Unix, Linux, Windows) and payload types, leveraging a gadget chain for command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0)
No auth needed
Prerequisites: Network access to WebLogic Administration Console (port 7001 by default) · Vulnerable WebLogic version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Oracle Fusion Middleware WebLogic Server Administration Console - Remote Code Execution
HIGHVERIFIEDby pdteam,vicrack
Shodan: title:"Oracle PeopleSoft Sign-in" || product:"oracle weblogic" || http.title:"oracle peoplesoft sign-in"
FOFA: title="oracle peoplesoft sign-in"

References (3)

Core 3

Scores

CVSS v3 7.2
EPSS 0.9444
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-11-03
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2020-7019
Status published
Products (5)
oracle/weblogic_server 10.3.6.0.0
oracle/weblogic_server 12.1.3.0.0
oracle/weblogic_server 12.2.1.3.0
oracle/weblogic_server 12.2.1.4.0
oracle/weblogic_server 14.1.1.0.0
Published Oct 21, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026