What is the CVSS score of CVE-2018-2894?

CVE-2018-2894 has a CVSS 3.0 base score of 9.8 (Critical). CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 94.3%.

Is there a public PoC exploit available for CVE-2018-2894?

Yes, a public proof-of-concept exploit is available for CVE-2018-2894. Prioritise patching immediately. EPSS: 94.3%.

How to fix or mitigate CVE-2018-2894?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Vendor patch is available.

CVE-2018-2894

CRITICAL

2018-07-18 secalert_us@oracle.com

9.8

CVSS 3.0 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 26, 2026 - 11:18 vuln.today

Patch released

Nov 21, 2024 - 04:04 nvd

Patch available

CVE Published

Jul 18, 2018 - 13:29 nvd

CRITICAL 9.8

DescriptionCVE.org

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services). Supported versions that are affected are 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Oracle WebLogic Server contains a critical arbitrary file upload vulnerability in the WLS Web Services component affecting versions 12.1.3.0, 12.2.1.2, and 12.2.1.3. Unauthenticated attackers can exploit the unrestricted file upload in the Web Services test page to deploy JSP webshells, achieving full remote code execution on the application server.

Technical ContextAI

The vulnerability resides in the ws_utc/config.do endpoint which is accessible without authentication when the server is in production mode. Attackers upload a malicious JSP file through the Work Home directory configuration, then access it via a predictable URL path to execute arbitrary commands.

Affected ProductsAI

Oracle WebLogic Server 12.1.3.0 Oracle WebLogic Server 12.2.1.2 Oracle WebLogic Server 12.2.1.3 Oracle Fusion Middleware

RemediationAI

Apply Oracle Critical Patch Update. Restrict access to the ws_utc endpoint via network segmentation. Disable the Web Services test page in production environments. Monitor for unexpected JSP file creation in WebLogic deployment directories.

CVE-2018-2894 vulnerability details – vuln.today

Back

CVE-2018-2894

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code