CVE-2021-2302

CRITICAL

Oracle Fusion Middleware <12.2.1.4.0 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-2302. PoCs published by quynhle7821.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2021-2302, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages a gadget chain involving BadAttributeValueExpException and UnresolvedPrincipal to achieve RCE via MVEL expression execution.

Description

Vulnerability in the Oracle Platform Security for Java product of Oracle Fusion Middleware (component: OPSS). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Platform Security for Java. Successful attacks of this vulnerability can result in takeover of Oracle Platform Security for Java. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (1)

nomisec WORKING POC 9 stars
by quynhle7821 · poc
https://github.com/quynhle7821/CVE-2021-2302

This repository contains a functional PoC for CVE-2021-2302, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages a gadget chain involving BadAttributeValueExpException and UnresolvedPrincipal to achieve RCE via MVEL expression execution.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server 12.1.2.3, Oracle Business Intelligence 12.1.2.4
No auth needed
Prerequisites: Network access to vulnerable Oracle WebLogic Server · Ability to send crafted serialized objects
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Patch, Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2021.html
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-21-460/

Scores

CVSS v3 9.8
EPSS 0.0567
EPSS Percentile 92.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

Status published
Products (3)
oracle/platform_security_for_java 11.1.1.9.0
oracle/platform_security_for_java 12.2.1.3.0
oracle/platform_security_for_java 12.2.1.4.0
Published Apr 22, 2021
Tracked Since Feb 18, 2026