CVE-2021-2394

CRITICAL

Oracle WebLogic Server <14.1.1.0.0 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2021-2394. PoCs published by lz2y, freeide, BabyTeam1024.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2021-2394, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages JNDI injection via IIOP and LDAP to achieve remote code execution by manipulating serialized objects and using reflection to bypass constructor checks.

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (4)

nomisec WORKING POC 40 stars
by lz2y · poc
https://github.com/lz2y/CVE-2021-2394

This repository contains a functional exploit PoC for CVE-2021-2394, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages JNDI injection via IIOP and LDAP to achieve remote code execution by manipulating serialized objects and using reflection to bypass constructor checks.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (versions affected by CVE-2021-2394)
No auth needed
Prerequisites: LDAP server for payload delivery · JDK version compatible with the exploit (e.g., JDK 8u121 or earlier for RMI, JDK 8u191 or earlier for LDAP)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 21 stars
by freeide · poc
https://github.com/freeide/CVE-2021-2394

This repository contains a functional exploit for CVE-2021-2394, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages IIOP protocol and JNDI injection to achieve remote code execution by crafting malicious serialized objects.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0)
No auth needed
Prerequisites: Access to a vulnerable WebLogic Server instance · LDAP server for payload delivery · Low version of JDK for testing
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 9 stars
by BabyTeam1024 · poc
https://github.com/BabyTeam1024/CVE-2021-2394

This repository contains a functional exploit for CVE-2021-2394, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages a crafted payload to achieve remote code execution via JNDI injection and LDAP references.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Network access to the target WebLogic Server · LDAP server to host the malicious payload
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.7657
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

Status published
Products (5)
oracle/weblogic_server 10.3.6.0.0
oracle/weblogic_server 12.1.3.0.0
oracle/weblogic_server 12.2.1.3.0
oracle/weblogic_server 12.2.1.4.0
oracle/weblogic_server 14.1.1.0.0
Published Jul 21, 2021
Tracked Since Feb 18, 2026