Cyber Resilience

CVE-2020-14750

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 02 November 2020

Published
02 November 2020
Modified
27 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9444 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-14750 is a critical-severity an unspecified weakness vulnerability in Oracle Weblogic Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2020-14750 is a vulnerability in the Console component of Oracle WebLogic Server within Oracle Fusion Middleware. It affects supported versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. The flaw is rated with a CVSS 3.1 base score of 9.8 and permits remote compromise of the server.

An unauthenticated attacker with network access via HTTP can exploit the issue due to its low attack complexity and lack of required privileges or user interaction. Successful exploitation results in full takeover of the Oracle WebLogic Server, impacting confidentiality, integrity, and availability.

Oracle's security alert provides patch information and remediation guidance for affected versions, while the vulnerability appears in CISA's catalog of known exploited vulnerabilities. Public exploit code demonstrating remote code execution against the Administration Console has also been published.

EU & UK References

Vulnerability details

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic…

more

Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
weblogic server
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access control policy on the WebLogic Console so that unauthenticated network requests cannot reach management functions that lead to server takeover.

prevent

Requires identification and authentication of all users before granting access to the Console, eliminating the unauthenticated attack vector described in CVE-2020-14750.

prevent

Restricts network access to the Console component from untrusted zones, reducing the exposure that allows remote unauthenticated exploitation over HTTP.

References