CVE-2022-21371

HIGH EXPLOITED IN THE WILD NUCLEI

Oracle WebLogic Server 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 - Unauthenticated Path Traversal via HTTP

Title source: llm

Exploitation Summary

CVE-2022-21371 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 4 public exploits from researchers including Jonah Tan, Mr-xn, Vulnmachines. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in Oracle WebLogic Server, allowing unauthenticated attackers to access sensitive files via HTTP requests. The PoC includes specific paths to retrieve configuration files like MANIFEST.MF and web.xml.

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Exploits (4)

exploitdb WORKING POC

by Jonah Tan · textremotewindows

https://www.exploit-db.com/exploits/50688

View Code ZIP pw:eip

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in Oracle WebLogic Server, allowing unauthenticated attackers to access sensitive files via HTTP requests. The PoC includes specific paths to retrieve configuration files like MANIFEST.MF and web.xml.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Oracle WebLogic Server 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

No auth needed

Prerequisites: Network access to the target WebLogic Server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 27 stars

by Mr-xn · infoleak

https://github.com/Mr-xn/CVE-2022-21371

View Code ZIP pw:eip

This PoC demonstrates a Local File Inclusion (LFI) vulnerability in Oracle WebLogic Server, allowing unauthenticated attackers to access sensitive files via HTTP requests. The exploit targets specific paths to retrieve configuration files like MANIFEST.MF and web.xml.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Oracle WebLogic Server 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0

No auth needed

Prerequisites: Network access to the target WebLogic Server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 19 stars

by Vulnmachines · poc

https://github.com/Vulnmachines/Oracle-WebLogic-CVE-2022-21371

View Code ZIP pw:eip

This repository provides a proof-of-concept for CVE-2022-21371, an unauthenticated local file inclusion vulnerability in Oracle WebLogic Server. The PoC demonstrates how to access sensitive files via HTTP GET requests.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Oracle WebLogic Server (12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0)

No auth needed

Prerequisites: Network access to the target WebLogic Server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 1 stars

by Cappricio-Securities · poc

https://github.com/Cappricio-Securities/CVE-2022-21371

View Code ZIP pw:eip

This repository contains a Python-based scanner for detecting CVE-2022-21371, a vulnerability in Oracle WebLogic Server. The tool checks for exposed endpoints and can notify users via Telegram.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Oracle WebLogic Server

No auth needed

Prerequisites: Network access to the target WebLogic Server

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Oracle WebLogic Server Local File Inclusion

HIGHby paradessia,narluin

Shodan: http.title:"oracle peoplesoft sign-in" || product:"oracle weblogic"

FOFA: title="oracle peoplesoft sign-in"

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujan2022.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/165736/Oracle-WebLogic-Server-14.1.1.0.0-Local-File-Inclusion.html

Scores

CVSS v3 7.5

EPSS 0.9233

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2022-08-19

InTheWild.io 2022-08-19

CWE

CWE-22

Status published

Products (4)

oracle/weblogic_server 12.1.3.0.0

oracle/weblogic_server 12.2.1.3.0

oracle/weblogic_server 12.2.1.4.0

oracle/weblogic_server 14.1.1.0.0

Published Jan 19, 2022

Tracked Since Feb 18, 2026