CVE-2020-14750

What is Oracle WebLogic's Admin Console?

Oracle WebLogic Server's Administration Console is a web-based management interface for configuring and monitoring WebLogic domains, deploying applications, and managing server clusters. By default, the console runs on port 7001 (HTTP) or 7002 (HTTPS) and is accessible at /console/. The console is intended for administrators only and should never be internet-accessible. Authentication bypass vulnerabilities in the WebLogic console are particularly severe because the console allows deploying arbitrary WAR/EAR files and executing server-side scripts — direct routes to Java code execution on the server. The October 2020 WebLogic console vulnerabilities (CVE-2020-14882 and its bypassvariants) became one of the most widely exploited enterprise Java vulnerabilities of 2020.

Overview

CVE-2020-14750 is an Oracle WebLogic Server remote code execution vulnerability related to the WebLogic console authentication bypass (CVE-2020-14882). Oracle's October 2020 CPU patch for CVE-2020-14882 was found to be insufficient — researchers demonstrated that the path traversal technique used to bypass console authentication could be adapted to circumvent the fix. Oracle released an emergency out-of-band Security Alert on November 1-2, 2020 to address CVE-2020-14750, the bypass of the incomplete fix. Both CVE-2020-14882 and CVE-2020-14750 together represent a critical unauthenticated code execution chain in Oracle WebLogic console.

Affected Versions

Technical Details

• Root cause: Authentication bypass via URL path manipulation in the WebLogic console — the WebLogic console authentication check evaluates whether a request path requires authentication; URL encoding (double encoding: %252E%252E for ..) or specific path constructions bypass the authentication check while the underlying console servlet still processes the request; the incomplete CVE-2020-14882 fix corrected one bypass pattern but not all; CVE-2020-14750 addresses remaining bypass vectors
• Console access → code execution: Once authentication is bypassed, the WebLogic console allows deploying Java applications (WAR/EAR files) — the standard post-exploitation technique for WebLogic console access; alternatively, CVE-2020-14883 (the companion POST exploitation CVE) allows executing Java code through the console's server monitoring pages without requiring file deployment
• No authentication, no interaction: PR:N/UI:N — any attacker with network access to port 7001 or 7002 can achieve code execution without credentials or victim interaction
• Mass exploitation timeline: CVE-2020-14882 was mass-exploited within 48 hours of the October 2020 CPU disclosure; CVE-2020-14750 was exploited immediately after Oracle's emergency patch announcement — threat actors adapted the bypass technique faster than organizations could patch
• WebLogic internet exposure: Thousands of Oracle WebLogic servers are internet-accessible on ports 7001/7002; Shodan and Censys routinely index them; any unpatched, internet-facing WebLogic instance running the affected versions was exploited during this period

Discovery

The patch bypass (CVE-2020-14750) was identified by security researchers within two weeks of Oracle's October 2020 CPU. Oracle released its emergency Security Alert on November 1, 2020, recommending immediate patching. CISA issued guidance for both CVE-2020-14882 and CVE-2020-14750, urging emergency patching of internet-accessible WebLogic servers.

Exploitation Context

The October-November 2020 Oracle WebLogic console vulnerabilities (CVE-2020-14882 + CVE-2020-14883 + CVE-2020-14750) were among the most widely exploited enterprise software vulnerabilities of 2020. Within days of disclosure, multiple ransomware operators, cryptomining groups, and APT actors weaponized working PoCs. WebLogic's prevalence in financial services, retail, and government Java application infrastructures made it a high-value target. Internet-exposed WebLogic admin consoles — which should never be publicly accessible — were the primary attack surface, and any organization that had not patched and isolated WebLogic consoles was compromised during this period.

Remediation

1. Apply Oracle's CVE-2020-14750 Emergency Security Alert patch (November 2020) for all affected WebLogic versions — this supersedes the October 2020 CPU patch for CVE-2020-14882
2. Immediately block external access to WebLogic admin console ports 7001/7002 — the console must never be internet-accessible; firewall these ports to authorized administrator hosts only
3. Deploy WebLogic's com.bea.security.allowedAuthentications connection filter or equivalent to restrict administrative access to specific IP ranges
4. Investigate for compromise: scan WebLogic server directories for unexpected WAR/EAR deployments, review application deployment logs, and check for new administrative user accounts
5. Monitor WebLogic access logs for path traversal patterns (%252E, %25252E, %2F..%2F) indicating exploitation attempts
6. Apply Oracle's April and July 2020+ CPU patches in addition to the emergency patch to address all known WebLogic vulnerabilities; plan for regular Oracle CPU application