Oracle WebLogic Exploit CVE-2020-14882

 1title: Oracle WebLogic Exploit CVE-2020-14882
 2id: 85d466b0-d74c-4514-84d3-2bdd3327588b
 3status: test
 4description: Detects exploitation attempts on WebLogic servers
 5references:
 6    - https://isc.sans.edu/diary/26734
 7    - https://twitter.com/jas502n/status/1321416053050667009?s=20
 8    - https://twitter.com/sudo_sudoka/status/1323951871078223874
 9author: Florian Roth (Nextron Systems)
10date: 2020/11/02
11modified: 2023/01/02
12tags:
13    - attack.t1190
14    - attack.initial_access
15    - cve.2020.14882
16    - detection.emerging_threats
17logsource:
18    category: webserver
19detection:
20    selection:
21        cs-uri-query|contains:
22            - '/console/images/%252E%252E%252Fconsole.portal'
23            - '/console/css/%2e'
24    condition: selection
25fields:
26    - c-ip
27    - c-dns
28falsepositives:
29    - Unknown
30level: high

References

• PATCH NOW: CVE-2020-14882 Weblogic Actively Exploited Against Honeypots - SANS Internet Storm Center

  

  PATCH NOW: CVE-2020-14882 Weblogic Actively Exploited Against Honeypots, Author: Johannes Ullrich

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• CVE-2010-5278 Exploitation Attempt
• CVE-2020-0688 Exchange Exploitation via Web Log
• CVE-2020-0688 Exploitation Attempt
• CVE-2020-10148 SolarWinds Orion API Auth Bypass
• CVE-2020-5902 F5 BIG-IP Exploitation Attempt