Technical Articles
F5 SMEs share good practice.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner
F5 Employee
F5 Employee

Recently, a critical and easy-to-exploit remote code execution vulnerability was found in Oracle WebLogic Servers. The vulnerability allows an unauthenticated remote attacker with network access via HTTP to achieve total compromise and takeover of vulnerable Oracle WebLogic Servers.

The vulnerability affects the following versions:


An exploit targeting this vulnerability was posted online by a Vietnamese researcher. This easy-to-exploit vulnerability can be exploited by sending a POST request.

According to the researcher, Oracle WebLogic does not perform any authentication on the following end points:

  • /bea-helpsets/*
  • /framework/skins/wlsconsole/images/*
  • /framework/skins/wlsconsole/css/*
  • /framework/skeletons/wlsconsole/js/*
  • /framework/skeletons/wlsconsole/css/*
  • /css/*
  • /common/*
  • /images/*

By using double encoding for “../”, the researcher was able to navigate to the path that triggers code execution after bypassing authentication using the /images endpoint.

Malicious request exploiting this vulnerability are shown in the figures below.


Figure 1 Exploit request 


Figure 2 Exploit Request with a different gadget

Mitigation with BIG-IP ASM

ASM customers under any supported BIG-IP version are already protected against this vulnerability.

The exploitation attempt will trigger a violation caused by directory traversal evasion technique and will also be detected by many existing signatures for Java and PHP code injection.


  Figure 3 Exploit blocked with Attack Signature (200004161)


Figure 4 Exploit blocked with Attack Signature (200004152)


Figure 5 Exploit blocked with Attack Signature (200004624)


Figure 6 Exploit blocked with Attack Signature (200004625)

Version history
Last update:
‎30-Oct-2020 06:42
Updated by: