Monday, April 7, 2025
Follow us On Linkedin
HomeCVE/vulnerabilityHackers Attacking WebLogic Servers via CVE-2020–14882 Flaw to install Cobalt Strike Malware

Hackers Attacking WebLogic Servers via CVE-2020–14882 Flaw to install Cobalt Strike Malware

CVE/vulnerabilityWhat is

Published on

By Gurubaran
WebLogic Servers Flaw

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

Attackers are found to be exploiting Oracle WebLogic Servers via CVE-2020–14882 to install Cobalt Strike which will allow persistent remote access to the compromised devices.

Testing the vulnerability

The latter half of last week saw a flurry of scans against Oracle’s WebLogic Server to check the vulnerability of CVE-2020-14882.

It is important to note that CVE-2020-14882 was patched a couple of weeks back and this was covered by us in great detail.

- Advertisement - Google News

In addition to the scans searching for vulnerabilities, it was found to be a few attempting to install crypto-mining tools.

On Friday, Oracle amended its patch for CVE-2020–14882 [2]. A new variation of the vulnerability (CVE-2020–14750) can be used to exploit WebLogic servers with a trivial modification of the exploit code.

What is a Cobalt Strike?

Cobalt Strike is a legitimate penetration testing tool that is used by threat actors in the post-exploitation tasks and to deploy beacons that enable them to gain continuous remote access.

This later allows them to access the compromised servers to harvest data and to deploy the second stage of malware payloads.

How did the attack happen?

The attackers are using a chain of base64-encoded Powershell scripts to download and install Cobalt Strike payloads on unpatched Oracle WebLogic servers.

Cobalt Strike is normally used to detect system penetration but though the tool is intended to do good, cybercriminals have used this tool for malicious intents and purposes.

The Cisco Talos Q4 2020 CTIR report states that of all the ransomware attacks this quarter, 66% of them involved the use of Cobalt Strike

The result of this operation is a shellcode to download and execute a Cobalt Strike payload.

Cobalt Strike deployment

Immediate Action advised

As both CVE-2020-14882 and CVE-2020-14750 can easily be exploited by unauthenticated attackers to take over vulnerable WebLogic servers, Oracle advises companies to immediately apply the security updates to block attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) also urged administrators to apply the security update as soon as possible to address the two critical vulnerabilities.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

cyber security

Threat Actors Exploit Fake CAPTCHAs and Cloudflare Turnstile to Distribute LegionLoader

In a sophisticated attack targeting individuals searching for PDF documents online, cybercriminals are using...
Cyber Attack

HellCat, Rey, and Grep Groups Dispute Claims in Orange and HighWire Press Cases

SuspectFile.com has uncovered a complex web of overlapping claims and accusations within the cybercrime...
AI

AI Surpasses Elite Red Teams in Crafting Effective Spear Phishing Attacks

In a groundbreaking development in the field of cybersecurity, AI has reached a pivotal...
cyber security

Threat Actors Use Windows Screensaver Files as Malware Delivery Method

Cybersecurity experts at Symantec have uncovered a sophisticated phishing campaign targeting various sectors across...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

Register Now

More like this

CVE/vulnerability

MediaTek Releases Security Patch to Fix Vulnerabilities in Mobile and IoT Devices

MediaTek, a prominent semiconductor company specializing in mobile, IoT, and multimedia chipsets, has announced...
CVE/vulnerability

Python JSON Logger Vulnerability Enables Remote Code Execution – PoC Released

A recent security disclosure has revealed a remote code execution (RCE) vulnerability, CVE-2025-27607, in...
CVE/vulnerability

Dell PowerProtect Flaw Allows Remote Attackers to Execute Arbitrary Commands

Dell Technologies has released a security update addressing a critical vulnerability (CVE-2025-29987) in its...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved