CVE-2023-21931

HIGH

Oracle Weblogic PreAuth Remote Command Execution via ForeignOpaqueReference IIOP Deserialization

Title source: metasploit

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-21931. PoCs published by TimeSHU, 4ra1n, 14m3ta7k, Grant Willcox, including Metasploit module exploits/multi/iiop/cve_2023_21839_weblogic_rce.

AI-analyzed exploit summary This repository provides a writeup and references for CVE-2023-21931, a vulnerability in Oracle WebLogic. It includes links to an analysis article and a JNDI exploitation tool but lacks actual exploit code.

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Exploits (2)

nomisec WRITEUP

by TimeSHU · poc

https://github.com/TimeSHU/weblogic_CVE-2023-21931_POC-EXP

View Code ZIP pw:eip

This repository provides a writeup and references for CVE-2023-21931, a vulnerability in Oracle WebLogic. It includes links to an analysis article and a JNDI exploitation tool but lacks actual exploit code.

Classification

Writeup 80%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Theoretical

Target: Oracle WebLogic Server

No auth needed

Prerequisites: Access to vulnerable WebLogic instance · JNDI exploitation tool

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by 4ra1n, 14m3ta7k, Grant Willcox · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/iiop/cve_2023_21839_weblogic_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2023-21839, an unauthenticated remote code execution vulnerability in Oracle WebLogic via IIOP deserialization of a ForeignOpaqueReference object. It leverages JNDI injection to trigger a remote class load, achieving RCE as the 'oracle' user.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Oracle WebLogic 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

No auth needed

Prerequisites: Network access to WebLogic server on port 7001 · LDAP and HTTP servers controlled by attacker

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 05, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/172882/Oracle-Weblogic-PreAuth-Remote-Command-Execution.html

Patch, Vendor Advisory vendor-advisory

https://www.oracle.com/security-alerts/cpuapr2023.html

Scores

CVSS v3 7.5

EPSS 0.8360

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (3)

oracle/weblogic_server 12.2.1.3.0

oracle/weblogic_server 12.2.1.4.0

oracle/weblogic_server 14.1.1.0.0

Published Apr 18, 2023

Tracked Since Feb 18, 2026