CVE-2020-14882: Oracle WebLogic Console Authentication Bypass and RCE Explained
A CVSS 9.8 authentication bypass in Oracle WebLogic Server's admin console, chained with CVE-2020-14883 for unauthenticated remote code execution. Nation-state actors and ransomware groups exploited the chain within days of Oracle's October 2020 Critical Patch Update.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2020-14882 is a critical authentication bypass vulnerability in the Oracle WebLogic Server web-based administration console. Oracle WebLogic Server is one of the most widely deployed Java EE application servers in enterprise environments, particularly in financial services, healthcare, telecommunications, and government sectors. The vulnerability was patched in Oracle's October 2020 Critical Patch Update alongside companion CVE-2020-14883, which enables code execution through the bypassed console. Together they form a two-request unauthenticated RCE chain.
Exploitation began within days of the October 2020 CPU release. Chinese nation-state actors were among the first to weaponize the chain for targeted initial access. Ransomware groups incorporated it into their toolkits. Any internet-accessible WebLogic administration console running unpatched versions was compromised by automated exploitation frameworks within the first week of the advisory.
The Two-CVE Chain: Authentication Bypass and Command Execution
WebLogic's administration console authentication is enforced through a Java EE filter chain that intercepts requests and validates credentials before routing them to console servlets. CVE-2020-14882 exploits a path normalization inconsistency: the authentication filter evaluates the URL path using one normalization method, while the servlet routing layer uses another. By appending specific path components with double-encoded characters, such as %252E%252E (which decodes to %2E%2E, then to ..), the filter fails to recognize the path as requiring authentication, while the servlet still processes and serves the console.
With the console accessible via CVE-2020-14882, CVE-2020-14883 provides code execution. A POST request to a WebLogic console configuration endpoint accepts a specially crafted XML payload that references a Java class capable of executing OS commands. The payload executes in the WebLogic server's JVM with the privileges of the application server process, typically a dedicated Oracle system account with extensive filesystem permissions. The combined chain: one unauthenticated GET to bypass the filter, one POST to execute arbitrary commands.
Identify internet-accessible WebLogic consoles
Scan for Oracle WebLogic Server administration consoles on ports 7001 (HTTP) or 7002 (HTTPS). The console login page is distinctive with Oracle WebLogic branding. WebLogic instances in cloud environments are frequently internet-exposed.
Bypass authentication via double-encoded path traversal
Send an unauthenticated HTTP GET request to the console URL with double-encoded path traversal sequences (%252E%252E/console.portal). The authentication filter skips the request; the console servlet serves the management interface.
Execute code via CVE-2020-14883 console endpoint
Send a POST request to the WebLogic console's server configuration endpoint with a crafted XML payload referencing a Java class that invokes Runtime.exec() or ProcessBuilder to execute an OS command as the WebLogic process user.
Deploy malicious application or web shell
Use the WebLogic console's deployment functionality to upload a malicious WAR file containing a JSP web shell, establishing persistent HTTP-accessible command execution.
Extract database credentials and pivot internally
Access WebLogic data source configurations containing plaintext database connection strings and credentials. Use the server's internal network connectivity to enumerate and attack connected database servers and internal systems.
Nation-State and Ransomware Exploitation
The Oracle WebLogic chain attracted immediate attention from sophisticated threat actors because of WebLogic's prevalence in high-value environments. Chinese APT groups, specifically those associated with financial sector targeting, were identified exploiting CVE-2020-14882/14883 for initial access to enterprise Java application environments within a week of the CPU. The exploitation pattern was targeted: actors identified specific WebLogic deployments belonging to organizations of interest rather than mass-scanning all exposed instances.
Ransomware operators used the chain for opportunistic initial access, particularly in healthcare and financial services organizations where WebLogic hosts critical business applications. Post-exploitation typically involved credential harvesting from WebLogic data sources, lateral movement to connected databases and internal systems, and ransomware deployment across the environment. CISA added CVE-2020-14882 to its Known Exploited Vulnerabilities catalog, confirming ongoing active exploitation well after the patch was available.
“Oracle strongly recommends that customers apply the October 2020 Critical Patch Update as soon as possible. This Critical Patch Update contains 402 new security patches across the product families.”
Oracle October 2020 Critical Patch Update Advisory
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Patching and Securing Oracle WebLogic Against CVE-2020-14882
Apply Oracle's October 2020 CPU immediately. Both CVE-2020-14882 and CVE-2020-14883 are in the same patch. The console should also be network-restricted as a defense-in-depth measure regardless of patch status.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2020-14882 and CVE-2020-14883 together represent one of the most accessible unauthenticated RCE chains in enterprise Java infrastructure, two HTTP requests to full application server compromise. WebLogic's prevalence in high-value financial, healthcare, and government environments made it a priority target for both espionage actors and ransomware operators.
The broader lesson for Java EE environments: administration consoles are not applications. They are administrative interfaces with privileged system access and should be treated as such, isolated on dedicated management networks, never internet-accessible, and monitored for any access outside of authorized administrative activity. The authentication bypass worked because the console was reachable from untrusted networks. Network restriction would have prevented exploitation regardless of the patch status.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2020-14882?
CVE-2020-14882 is a CVSS 9.8 authentication bypass in the Oracle WebLogic Server administration console. By appending double-encoded path traversal sequences to the console URL, an unauthenticated attacker bypasses WebLogic's authentication filter and accesses the console without credentials.
How is CVE-2020-14882 chained with CVE-2020-14883?
CVE-2020-14882 provides unauthenticated access to the console. CVE-2020-14883 (also patched in the October 2020 CPU) exploits a console endpoint to execute arbitrary Java code. Chained together: one GET request to bypass authentication, one POST request to execute OS commands, full unauthenticated RCE.
Was CVE-2020-14882 exploited in the wild?
Yes, within days of Oracle's October 2020 CPU release. Nation-state actors attributed to Chinese cyber espionage operations exploited the chain for initial access. Ransomware groups incorporated it into toolkits. CISA added it to the Known Exploited Vulnerabilities catalog.
How do I patch CVE-2020-14882?
Apply Oracle's October 2020 Critical Patch Update (CPU) for WebLogic Server. Both CVE-2020-14882 and CVE-2020-14883 are addressed in the same CPU. After patching, restrict WebLogic console access to internal management networks via firewall rules blocking ports 7001 and 7002 from untrusted networks.
Does restricting internet access prevent exploitation?
Yes, the bypass requires network access to the WebLogic admin console port (7001 HTTP / 7002 HTTPS). Firewall rules blocking external access eliminate the remote attack surface. However, internal attackers who reach those ports can still exploit it, so patching is required alongside network restriction.
What are the indicators of compromise for CVE-2020-14882 exploitation?
Check weblogic/logs/access.log for GET requests containing %252E or double-encoded path segments targeting /console/ or /console/css/ paths, which reveal bypass attempts. Look for unexpected Java child processes spawned by the WebLogic server process, new files in the domain tmp/ or config/ directories, unfamiliar deployed WAR or JAR files, outbound connections from the WebLogic host to unusual IPs, and new cron entries or scheduled tasks. Nation-state actors commonly deployed JSP webshells and custom backdoors through the exploited console.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
