PATCH NOW: CVE-2020-14882 Weblogic Actively Exploited Against Honeypots, (Thu, Oct 29th)

WebLogic LogoJust about a week ago, as part of a massive quarterly “Criticial Patch Update” (aka “CPU”), Oracle patched CVE-2020-14882 in WebLogic. Oracle at the time assigned it a CVSS score of 9.8. We are now seeing active exploitation of the vulnerability against our honeypot after PoC exploits had been published.

Vulnerable WebLogic Versions:,,, and

The exploitation of the vulnerability is trivial. For example, we are seeing these exploits being currently used:

[the honeypot’s IP has been replaced with AAA.BBB.CCC.DDD. Spaces added to allow for line breaks ]

GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle= %22java.lang.Runtime.getRuntime().exec(%27cmd /c

GET /console/images/%252e%252e%252fconsole.portal?_nfpb=false&_pageLabel=& "java.lang.Runtime.getRuntime().exec( '')

GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1& %22java.lang.Runtime.getRuntime().exec(;%22);

GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=java.lang.String("test")

These exploit attempts are right now just verifying if the system is vulnerable. Our honeypots (up to now) do not return the “correct” response, and we have not seen follow-up requests yet.

Currently, exploit attempts originate from these 4 IP addresses:

    First IP seen. Around noon UTC Oct 18th.
    attempting to ping [some id]
    Address assigned to China Unicom

    attempting to ping [victim ip]
    Address assigned to Linode (USA)

    At this point, most prolific scanner. attempting to execute "cmd /c" ?

        The address is assigned to MivoCloud (Moldovia)

    pinging [some ID]
    Address assigned to Datacamp Ltd (HongKong)

I am in the process of notifying the ISPs.




Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.