A vulnerability patched one week ago by Oracle in its WebLogic Server product has already been targeted for exploitation.
The security hole, tracked as CVE-2020-14882 and classified as critical, was patched by Oracle with its October 2020 Critical Patch Update (CPU). The vulnerability can be exploited remotely and without authentication, allowing an attacker to execute arbitrary code.
The issue was reported to Oracle by a researcher at China-based Chaitin Security Research Lab. On Wednesday, a Vietnamese researcher named Jang published a blog post detailing CVE-2020-14882 (written in Vietnamese) and he showed how easily it can be exploited by sending a specially crafted request to the targeted server.
The SANS Technology Institute reported on Thursday that its honeypots have recorded attempts to exploit this WebLogic vulnerability. Johannes B. Ullrich, dean of research at SANS, said the exploitation attempts appeared to be based on the PoC made public by the Vietnamese researcher.
Ullrich said the attacks that hit SANS honeypots only checked if the system was vulnerable, but others reported seeing exploitation attempts that involved downloading an executable file from a remote server and running it.
The attacks seen by SANS came from four IP addresses assigned to organizations in China, the US and Moldova.
“At this point, we are seeing the scans slow down a bit. But they have reached ‘saturation’ meaning that all IPv4 addresses have been scanned for this vulnerability,” Ullrich said. “If you find a vulnerable server in your network: Assume it has been compromised.”
Oracle WebLogic Server vulnerabilities are often targeted by threat actors, including profit-driven cybercriminals and state-sponsored groups. Many of these vulnerabilities are exploited after they are patched, but hackers exploiting zero-days is not unheard of.
Shortly after the April 2020 CPU was released, Oracle warned customers that a critical WebLogic vulnerability, one that was disclosed to the vendor by multiple researchers, including Jang, had been exploited in the wild.
Related: Recently Patched Oracle WebLogic Flaw Exploited in the Wild
Related: Critical Oracle WebLogic Vulnerability Exploited in Attacks

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
Latest News
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
