Connect with us

Hi, what are you looking for?


Risk Management

Oracle Issues Out-of-Band Update for Critical Vulnerability Exploited in Attacks

Oracle Warns of Critical WebLogic Flaw Exploited in Attacks

Oracle has released an out-of-band security alert for a critical remote code execution vulnerability affecting WebLogic Server.

Oracle Warns of Critical WebLogic Flaw Exploited in Attacks

Oracle has released an out-of-band security alert for a critical remote code execution vulnerability affecting WebLogic Server.

Tracked as CVE-2020-14750 and featuring a CVSS score of 9.8, the security flaw is related to CVE-2020-14882, a WebLogic Server bug addressed in the October 2020 Critical Patch Update (CPU) and which was deemed to be very easy to exploit.

In fact, attacks targeting CVE-2020-14882 were observed last week, soon after a Vietnamese researcher published proof-of-concept code.

CVE-2020-14750 has been assigned after researchers noticed that the patch for CVE-2020-14882 can be easily bypassed.

“This Security Alert addresses CVE-2020-14750, a remote code execution vulnerability in Oracle WebLogic Server. […] It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” Oracle notes in its advisory.

Impacting supported WebLogic Server versions,,, and, the bug can be exploited by an attacker that has HTTP access to the network.

Advertisement. Scroll to continue reading.

Successful exploitation of the flaw could lead to takeover of Oracle WebLogic, an advisory published by the MITRE Corporation reads.

“The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system,” Czech vulnerability intelligence company Cybersecurity Help says.

In its advisory, Oracle credited 20 researchers/organizations for reporting the vulnerability. The company recommends that customers apply the available patches as soon as possible, after installing the October 2020 CPU.

The company has refrained from sharing further details on the vulnerability, but warns that exploit code targeting it is already available online.

“Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” Oracle notes.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) too has published an alert urging administrators to apply the necessary updates.

Related: Oracle WebLogic Vulnerability Targeted One Week After Patching

Related: Recently Patched Oracle WebLogic Flaw Exploited in the Wild

Related: Critical Oracle WebLogic Vulnerability Exploited in Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...