CVE-2022-21587

CRITICAL KEV RANSOMWARE NUCLEI

Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2022-21587 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 2, 2023, with confirmed use in ransomware campaigns. EIP tracks 5 public exploits from researchers including hieuminhnv, sahabrifki, rockmelodies, including a Metasploit module exploits/linux/http/oracle_ebs_rce_cve_2022_21587. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains two Python scripts exploiting CVE-2022-21587, a vulnerability in Oracle E-Business Suite. The exploits achieve remote code execution by uploading malicious JSP or Perl scripts via a file upload vulnerability in the BneUploaderService endpoint.

Description

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (5)

nomisec WORKING POC 15 stars
by hieuminhnv · remote
https://github.com/hieuminhnv/CVE-2022-21587-POC

This repository contains two Python scripts exploiting CVE-2022-21587, a vulnerability in Oracle E-Business Suite. The exploits achieve remote code execution by uploading malicious JSP or Perl scripts via a file upload vulnerability in the BneUploaderService endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle E-Business Suite (unspecified version)
No auth needed
Prerequisites: Network access to the target Oracle E-Business Suite instance · BneUploaderService endpoint accessible · slipit and uuencode tools installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 6 stars
by sahabrifki · remote
https://github.com/sahabrifki/CVE-2022-21587-Oracle-EBS-

This exploit targets CVE-2022-21587 in Oracle E-Business Suite, leveraging an unauthenticated file upload vulnerability to achieve remote code execution (RCE). The PoC uploads a malicious Perl script via a UUE-encoded ZIP file and triggers execution via a custom HTTP header.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle E-Business Suite (unspecified version)
No auth needed
Prerequisites: Python 3 with requests, slipit, and uuencode installed · Network access to the target Oracle EBS instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by rockmelodies · remote
https://github.com/rockmelodies/Oracle-E-BS-CVE-2022-21587-Exploit

This repository contains a functional exploit for CVE-2022-21587, targeting Oracle E-Business Suite (EBS) versions 12.2.3-12.2.11. The exploit leverages unauthenticated remote code execution via a malicious ZIP upload and CGI script execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle E-Business Suite 12.2.3-12.2.11
No auth needed
Prerequisites: Network access to the target Oracle EBS instance · Vulnerable version of Oracle EBS (12.2.3-12.2.11)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
infoleak
https://github.com/anmolksachan/CVE-2022-21587

This repository contains a functional Python script that decrypts the admin password for JD Edwards EnterpriseOne Tools by exploiting CVE-2020-2733. The script fetches an encrypted string from a target URL or processes a provided string, then decrypts it using AES-CBC with hardcoded keys derived from the vulnerability's technical details.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: JD Edwards EnterpriseOne Tools 9.2
No auth needed
Prerequisites: Access to the target URL (http://JDEdwards:8999/manage/fileDownloader?sec=1) or an encrypted string
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by sf, HMs, l1k3beef · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/oracle_ebs_rce_cve_2022_21587.rb

This Metasploit module exploits an unauthenticated arbitrary file upload vulnerability in Oracle E-Business Suite (EBS) versions 12.2.3 to 12.2.11. It uploads a malicious JSP file via a ZIP archive encoded with uuencode, then triggers execution to achieve remote code execution as the 'oracle' user.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle E-Business Suite (EBS) 12.2.3 to 12.2.11
No auth needed
Prerequisites: Network access to the target Oracle EBS instance · Target running a vulnerable version of Oracle EBS
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Oracle E-Business Suite 12.2.3 -12.2.11 - Remote Code Execution
CRITICALby rootxharsh,iamnoooob,pdresearch,dogasantos,s4e-io
Shodan: http.title:"login" "x-oracle-dms-ecid" 200
FOFA: title="login" "x-oracle-dms-ecid" 200

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.9440
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-02-02
VulnCheck KEV 2023-02-02
InTheWild.io 2023-02-02
ENISA EUVD EUVD-2022-26811
Ransomware Use Confirmed
CWE
CWE-306
Status published
Products (1)
oracle/e-business_suite 12.2.3 - 12.2.11
Published Oct 18, 2022
KEV Added Feb 02, 2023
Tracked Since Feb 18, 2026