CVE-2021-2456

CRITICAL

Oracle Fusion Middleware 12.2.1.4.0 - Unauthenticated RCE

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-2456. PoCs published by peterjson31337.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2021-2456, which leverages deserialization to achieve remote code execution. The script sends a crafted serialized payload to a target URL with a custom header containing commands to execute.

Description

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Web General). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (1)

nomisec WORKING POC 6 stars

by peterjson31337 · poc

https://github.com/peterjson31337/CVE-2021-2456

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2021-2456, which leverages deserialization to achieve remote code execution. The script sends a crafted serialized payload to a target URL with a custom header containing commands to execute.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Oracle Business Intelligence Enterprise Edition (OBIEE)

No auth needed

Prerequisites: Target URL · Serialized payload file (poc.ser)

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujul2021.html

Third Party Advisory x_refsource_misc

https://www.zerodayinitiative.com/advisories/ZDI-21-885/

Scores

CVSS v3 9.8

EPSS 0.7309

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

Status published

Products (1)

oracle/business_intelligence 12.2.1.4.0

Published Jul 21, 2021

Tracked Since Feb 18, 2026