Impact
A flaw in Oracle WebLogic Server permits a low‑privileged attacker that can reach the server through HTTP to execute arbitrary code with system‑level privileges. This vulnerability is a CWE‑284 (Insecure Permissions) flaw. It allows full compromise of the server, giving the attacker unrestricted access to all data and the ability to disrupt or shut down the service. The flaw resides in the core component of the Fusion Middleware stack and can alter the scope, affecting additional products within the application stack.
Affected Systems
Oracle WebLogic Server versions 14.1.2.0.0 and 15.1.1.0.0 on all supported platforms are affected. The CPE entries indicate the specific builds. These versions were released as part of Oracle Fusion Middleware and include the WebLogic Server core component.
Risk and Exploitability
The CVSS v3.1 base score of 9.9 reflects complete confidentiality, integrity, and availability impacts. The EPSS score of less than 1% indicates that, while the vulnerability is easily exploitable, it has not yet been widely leveraged in the wild. The likely attack vector is a normal HTTP connection from an external network; an attacker needs only low privileges to launch the exploit, and a successful compromise can lead to full server takeover. The flaw is not yet listed in the CISA KEV catalog, but the severity warrants urgent action.
OpenCVE Enrichment