CVE-2020-14882: Oracle WebLogic Console Authentication Bypass and RCE Explained
A CVSS 9.8 authentication bypass in Oracle WebLogic Server's admin console, chained with CVE-2020-14883 for unauthenticated remote code execution. Nation-state actors and ransomware groups exploited the chain within days of Oracle's October 2020 Critical Patch Update.
CVE-2020-14882 is a critical authentication bypass vulnerability in the Oracle WebLogic Server web-based administration console. Oracle WebLogic Server is one of the most widely deployed Java EE application servers in enterprise environments — particularly in financial services, healthcare, telecommunications, and government sectors. The vulnerability was patched in Oracle's October 2020 Critical Patch Update alongside companion CVE-2020-14883, which enables code execution through the bypassed console. Together they form a two-request unauthenticated RCE chain.
Exploitation began within days of the October 2020 CPU release. Chinese nation-state actors were among the first to weaponize the chain for targeted initial access. Ransomware groups incorporated it into their toolkits. Any internet-accessible WebLogic administration console running unpatched versions was compromised by automated exploitation frameworks within the first week of the advisory.
The Two-CVE Chain: Authentication Bypass and Command Execution
WebLogic's administration console authentication is enforced through a Java EE filter chain that intercepts requests and validates credentials before routing them to console servlets. CVE-2020-14882 exploits a path normalization inconsistency: the authentication filter evaluates the URL path using one normalization method, while the servlet routing layer uses another. By appending specific path components with double-encoded characters — such as %252E%252E (which decodes to %2E%2E, then to ..) — the filter fails to recognize the path as requiring authentication, while the servlet still processes and serves the console.
With the console accessible via CVE-2020-14882, CVE-2020-14883 provides code execution. A POST request to a WebLogic console configuration endpoint accepts a specially crafted XML payload that references a Java class capable of executing OS commands. The payload executes in the WebLogic server's JVM with the privileges of the application server process — typically a dedicated Oracle system account with extensive filesystem permissions. The combined chain: one unauthenticated GET to bypass the filter, one POST to execute arbitrary commands.
Identify internet-accessible WebLogic consoles
Scan for Oracle WebLogic Server administration consoles on ports 7001 (HTTP) or 7002 (HTTPS). The console login page is distinctive with Oracle WebLogic branding. WebLogic instances in cloud environments are frequently internet-exposed.
Bypass authentication via double-encoded path traversal
Send an unauthenticated HTTP GET request to the console URL with double-encoded path traversal sequences (%252E%252E/console.portal). The authentication filter skips the request; the console servlet serves the management interface.
Execute code via CVE-2020-14883 console endpoint
Send a POST request to the WebLogic console's server configuration endpoint with a crafted XML payload referencing a Java class that invokes Runtime.exec() or ProcessBuilder to execute an OS command as the WebLogic process user.
Deploy malicious application or web shell
Use the WebLogic console's deployment functionality to upload a malicious WAR file containing a JSP web shell, establishing persistent HTTP-accessible command execution.
Extract database credentials and pivot internally
Access WebLogic data source configurations containing plaintext database connection strings and credentials. Use the server's internal network connectivity to enumerate and attack connected database servers and internal systems.
Nation-State and Ransomware Exploitation
The Oracle WebLogic chain attracted immediate attention from sophisticated threat actors because of WebLogic's prevalence in high-value environments. Chinese APT groups — specifically those associated with financial sector targeting — were identified exploiting CVE-2020-14882/14883 for initial access to enterprise Java application environments within a week of the CPU. The exploitation pattern was targeted: actors identified specific WebLogic deployments belonging to organizations of interest rather than mass-scanning all exposed instances.
Ransomware operators used the chain for opportunistic initial access — particularly in healthcare and financial services organizations where WebLogic hosts critical business applications. Post-exploitation typically involved credential harvesting from WebLogic data sources, lateral movement to connected databases and internal systems, and ransomware deployment across the environment. CISA added CVE-2020-14882 to its Known Exploited Vulnerabilities catalog, confirming ongoing active exploitation well after the patch was available.
“Oracle strongly recommends that customers apply the October 2020 Critical Patch Update as soon as possible. This Critical Patch Update contains 402 new security patches across the product families.”
— Oracle October 2020 Critical Patch Update Advisory
Patching and Securing Oracle WebLogic Against CVE-2020-14882
Apply Oracle's October 2020 CPU immediately. Both CVE-2020-14882 and CVE-2020-14883 are in the same patch. The console should also be network-restricted as a defense-in-depth measure regardless of patch status.
Apply Oracle October 2020 Critical Patch Update
Download and apply the October 2020 CPU for your WebLogic version (10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, or 14.1.1.0.0). Both CVE-2020-14882 and CVE-2020-14883 are addressed. Verify via: java -cp wlserver/server/lib/weblogic.jar weblogic.version.
Block console ports from untrusted networks
Apply firewall or network ACL rules blocking ports 7001 and 7002 on all WebLogic admin servers from internet-accessible networks. The admin console should only be reachable from a dedicated management VLAN via authorized admin workstations.
Audit deployed applications for unauthorized WAR files
Review the WebLogic console Deployments list for applications not recognized from the authorized deployment inventory. Check the filesystem directories in config.xml for unexpected .war, .ear, or .jar files that may have been deployed via the bypassed console.
Review WebLogic access logs for exploitation patterns
Search WebLogic access logs for GET requests containing %252E%252E or double-encoded traversal sequences in console URL paths, particularly from external source IPs around and after October 2020.
Rotate WebLogic data source credentials
Inspect WebLogic data source configurations for database connection credentials. If the console was accessible without authentication, assume these credentials were read. Rotate all database passwords referenced in WebLogic data source configurations.
The bottom line
CVE-2020-14882 and CVE-2020-14883 together represent one of the most accessible unauthenticated RCE chains in enterprise Java infrastructure — two HTTP requests to full application server compromise. WebLogic's prevalence in high-value financial, healthcare, and government environments made it a priority target for both espionage actors and ransomware operators.
The broader lesson for Java EE environments: administration consoles are not applications. They are administrative interfaces with privileged system access and should be treated as such — isolated on dedicated management networks, never internet-accessible, and monitored for any access outside of authorized administrative activity. The authentication bypass worked because the console was reachable from untrusted networks. Network restriction would have prevented exploitation regardless of the patch status.
Frequently asked questions
What is CVE-2020-14882?
CVE-2020-14882 is a CVSS 9.8 authentication bypass in the Oracle WebLogic Server administration console. By appending double-encoded path traversal sequences to the console URL, an unauthenticated attacker bypasses WebLogic's authentication filter and accesses the console without credentials.
How is CVE-2020-14882 chained with CVE-2020-14883?
CVE-2020-14882 provides unauthenticated access to the console. CVE-2020-14883 (also patched in the October 2020 CPU) exploits a console endpoint to execute arbitrary Java code. Chained together: one GET request to bypass authentication, one POST request to execute OS commands — full unauthenticated RCE.
Was CVE-2020-14882 exploited in the wild?
Yes, within days of Oracle's October 2020 CPU release. Nation-state actors attributed to Chinese cyber espionage operations exploited the chain for initial access. Ransomware groups incorporated it into toolkits. CISA added it to the Known Exploited Vulnerabilities catalog.
How do I patch CVE-2020-14882?
Apply Oracle's October 2020 Critical Patch Update (CPU) for WebLogic Server. Both CVE-2020-14882 and CVE-2020-14883 are addressed in the same CPU. After patching, restrict WebLogic console access to internal management networks via firewall rules blocking ports 7001 and 7002 from untrusted networks.
Does restricting internet access prevent exploitation?
Yes — the bypass requires network access to the WebLogic admin console port (7001 HTTP / 7002 HTTPS). Firewall rules blocking external access eliminate the remote attack surface. However, internal attackers who reach those ports can still exploit it, so patching is required alongside network restriction.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.