CVE-2022-21306

CRITICAL

Oracle WebLogic Server <14.1.1.0.0 - RCE

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-21306. PoCs published by hktalent.

AI-analyzed exploit summary The repository contains commented-out code snippets for CVE-2022-21306, a WebLogic Server vulnerability, but none are functional or executable. The README explicitly states the code is non-working and only provides conceptual ideas.

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (1)

nomisec STUB 1 stars

by hktalent · poc

https://github.com/hktalent/CVE-2022-21306

View Code ZIP pw:eip

The repository contains commented-out code snippets for CVE-2022-21306, a WebLogic Server vulnerability, but none are functional or executable. The README explicitly states the code is non-working and only provides conceptual ideas.

Classification

Stub 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Theoretical

Target: Oracle WebLogic Server

No auth needed

Prerequisites: Network access to WebLogic Server · Vulnerable WebLogic version

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujan2022.html

Scores

CVSS v3 9.8

EPSS 0.0414

EPSS Percentile 89.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

Status published

Products (4)

oracle/weblogic_server 12.1.3.0.0

oracle/weblogic_server 12.2.1.3.0

oracle/weblogic_server 12.2.1.4.0

oracle/weblogic_server 14.1.1.0.0

Published Jan 19, 2022

Tracked Since Feb 18, 2026