Privacy Ninja

Critical Oracle WebLogic Flaw Actively Targeted In Attacks

Critical Oracle WebLogic Flaw Actively Targeted In Attacks

Threat actors have started to hunt for servers running Oracle WebLogic instances vulnerable to a critical flaw that allows taking control of the system with little effort and no authentication.

The vulnerability leveraged in the attacks is CVE-2020-14882 with a severity rating 9.8 out of 10 that allows compromising systems via a simple HTTP GET request.

Looking for targets

Oracle fixed the vulnerability in this month’s release of Critical Patch Update (CPU), crediting security researcher Voidfyoo of Chaitin Security Research Lab for finding and reporting it.

Honeypots set up by the SANS Technology Institute caught the attacks shortly after exploit code for CVE-2020-14882 emerged in the public space. Vulnerable versions of Oracle WebLogic Server are,,, and

Also Read: The PDPA Data Breach August 2020: A Recap of 8 Alarming Cases

In an advisory today, Johannes Ullrich, Dean of Research at SANS, says that exploit attempts on the honeypots came from the following IP addresses:

  • – assigned to China Unicom
  • – assigned to Linode (U.S.A.)
  • – assigned to MivoCloud (Moldova)
  • – assigned to DataCamp Ltd (Hong Kong)

Most of them are just pinging targets but the one from MivoCloud attempts to execute the “cmd /c” command, which runs the command specified in the string and then terminates.

SANS Institute is in the process of alerting the corresponding internet service providers of the offensive activity from the IP addresses above.

Ullrich says that the exploit attempts recorded by the honeypots just check if the system is vulnerable. SANS cannot provide details for the follow-up requests because the trap systems are configured not to reply with a correct response.

According to Ullrich, the exploit used in these attacks seems to be based on the technical details in a blog post (Vietnamese) published yesterday by security researcher Jang.

A search on Spyse engine for scanning and collecting reconnaissance information from exposed assets shows that there are more than 3,000 Oracle WebLogic servers reachable over the public internet and potentially vulnerable to CVE-2020-14882.

Also Read: Thinking of Shredding or Burning Paper? Here’s What You Should Know

source: Spyes

The attacks observed by SANS come a little over a week after Oracle released a patch for CVE-2020-14882. This should come as no surprise, though, considering how trivial it is to exploit, its critical severity, and that exploit code is publicly available. Applying the patch is currently the best solution to protect against these attacks.

Outsourced DPO – It is mandatory to appoint a Data Protection Officer. Engage us today.

PDPA Training (SkillsFuture Eligible) – Empower data protection knowledge for your employees.

Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.


Leave a Reply

Your email address will not be published. Required fields are marked *


Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.

Powered by WhatsApp Chat

× Chat with us on WhatsApp