Cyber Resilience

CVE-2020-14883

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 21 October 2020

Published
21 October 2020
Modified
27 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9444 100.0th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-14883 is a high-severity an unspecified weakness vulnerability in Oracle Weblogic Server. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-14883 is a vulnerability in the Console component of Oracle WebLogic Server within Oracle Fusion Middleware. It affects supported versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. The flaw carries a CVSS 3.1 base score of 7.2 with the vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating high impacts to confidentiality, integrity, and availability.

A high-privileged attacker with network access via HTTP can exploit the issue to achieve full takeover of the Oracle WebLogic Server instance. The vulnerability is described as easily exploitable under these conditions.

Oracle's October 2020 Critical Patch Update addresses the flaw, and the references include public exploit code demonstrating remote code execution via the administration console. The vulnerability also appears in CISA's catalog of known exploited vulnerabilities, confirming observed real-world use.

EU & UK References

Vulnerability details

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle…

more

WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
weblogic server
10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the October 2020 Critical Patch Update that eliminates the WebLogic Console remote-takeover flaw.

prevent

Enforces boundary protection rules that can deny HTTP access to the administration console from untrusted networks, blocking the attack vector.

prevent

Limits the number and scope of high-privileged accounts permitted to reach the Console, reducing the population that can exploit CVE-2020-14883.

References