Cyber Resilience

CVE-2020-14882

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 21 October 2020

Published
21 October 2020
Modified
27 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9445 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-14882 is a critical-severity an unspecified weakness vulnerability in Oracle Weblogic Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-14882 is an easily exploitable vulnerability in the Console component of Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. It resides in the Oracle Fusion Middleware product line and carries a CVSS 3.1 base score of 9.8 with full impacts to confidentiality, integrity, and availability.

An unauthenticated attacker with network access via HTTP can exploit the flaw to achieve remote takeover of the WebLogic Server instance. The attack requires no user interaction or credentials and can be launched directly over the network.

The Oracle Critical Patch Update for October 2020 addresses the issue for the listed versions. Public exploit code demonstrating remote code execution against multiple affected releases has been published on PacketStorm.

EU & UK References

Vulnerability details

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic…

more

Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
weblogic server
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access-control policy on the WebLogic Console, blocking the unauthenticated HTTP requests that lead to server takeover.

prevent

Requires timely application of the October 2020 Critical Patch Update that eliminates the unauthenticated RCE flaw in the listed WebLogic versions.

prevent

Boundary-protection mechanisms can restrict or deny network access to the Console endpoint before an unauthenticated attacker can reach the vulnerable component.

References