CVE-2022-21445

CRITICAL KEV

Oracle ADF 12.2.1.3.0/12.2.1.4.0 - RCE via Deserialization

Title source: llm

Exploitation Summary

CVE-2022-21445 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 18, 2024. EIP tracks 2 public exploits from researchers including hienkiet, NeCr00.

AI-analyzed exploit summary This repository provides a detailed writeup and setup instructions for exploiting CVE-2022-21445, a deserialization vulnerability in Oracle WebLogic and Oracle Business Intelligence. It includes environment setup steps but lacks actual exploit code.

Description

Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). Note: Oracle Application Development Framework (ADF) is downloaded via Oracle JDeveloper Product. Please refer to Fusion Middleware Patch Advisor for more details. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (2)

nomisec WRITEUP 3 stars

by hienkiet · remote

https://github.com/hienkiet/CVE-2022-21445-for-12.2.1.3.0-Weblogic

View Code ZIP pw:eip

This repository provides a detailed writeup and setup instructions for exploiting CVE-2022-21445, a deserialization vulnerability in Oracle WebLogic and Oracle Business Intelligence. It includes environment setup steps but lacks actual exploit code.

Classification

Writeup 90%

Attack Type

Deserialization

Complexity

Complex

Reliability

Theoretical

Target: Oracle WebLogic 12.2.1.3.0, Oracle Business Intelligence 12.2.1.4.0

No auth needed

Prerequisites: Oracle WebLogic or Oracle Business Intelligence installation · Java JDK 8u112 or higher · Access to vulnerable endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by NeCr00 · remote

https://github.com/NeCr00/CVE-2022-21445

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-21445, a Java deserialization vulnerability in Oracle WebLogic Server 12.2.1.x. The exploit generates payloads for RCE via crafted HTTP GET requests targeting the RemoteApplicationResourceLoader component.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Oracle WebLogic Server 12.2.1.3, 12.2.1.4

No auth needed

Prerequisites: Python 3.6+ · JDK 1.8 · Oracle WebLogic JARs (extracted from Docker image)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2022.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-21445

Scores

CVSS v3 9.8

EPSS 0.6201

EPSS Percentile 99.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2024-09-18

VulnCheck KEV 2023-10-08

InTheWild.io 2024-09-18

ENISA EUVD EUVD-2022-26669

CWE

CWE-502

Status published

Products (2)

oracle/application_development_framework 12.2.1.3.0

oracle/application_development_framework 12.2.1.4.0

Published Apr 19, 2022

KEV Added Sep 18, 2024

Tracked Since Feb 18, 2026