Oracle WebLogic Server Unauthenticated Remote Code Execution Vulnerability (CVE-2020-14750)


Recently, Oracle released its critical October update to patch CVE-2020-14882. Oracle WebLogic Server has now observed that attackers can now bypass this patch exposing an unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2020-14750).

As per CVE-2020-14750, unauthorized attackers can continue to bypass the WebLogic background login restrictions and control the server even after WebLogic is patched for CVE-2020-14882. Though there are no publicly available POCs for CVE-2020-14750 yet, it is believed that it can be exploited in a manner similar to CVE-2020-14882. That is, the vulnerability can be exploited by replacing %252E%252E with %252e%252e.

The patch can be bypassed by changing the case of character in a request.

Image Source: chybeta

At Qualys Labs, a POC for CVE-2020-14882 has been already demonstrated –

Affected WebLogic Versions

Oracle WebLogic Server,,, and


Qualys customers can scan their network with QID# 87433 to detect vulnerable assets. Kindly continue to follow Qualys Threat Protection for more coverage on these vulnerabilities.


Leave a Reply

Your email address will not be published. Required fields are marked *