Rule History

SID: 10006254 • Source: ptrules/open

Versions (7)

Version DetailsCurrent

Rev: 2 • Jul 24, 2025, 5:44 PM

Message:

ATTACK [PTsecurity] Oracle Weblogic unauth RCE (CVE-2020-14882)

Rule:

alert http any any -> any any (msg: "ATTACK [PTsecurity] Oracle Weblogic unauth RCE (CVE-2020-14882)"; flow: established, to_server; content: "%252E%252E"; http_raw_uri; http.uri; content: "console.portal"; http.request_body; content: "tangosol"; content: "coherence"; distance: 0; content: "ShellSession"; distance: 0; reference: url, twitter.com/jas502n/status/1321416053050667009; reference: url, testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf; reference: cve, 2020-14882; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10006254; rev: 2;)

Created:

Jul 24, 2025, 5:44 PM

Updated:

Jul 24, 2025, 5:44 PM

DB Created:

Oct 16, 2025, 10:34 AM

DB Updated:

Oct 16, 2025, 10:34 AM

Filename:

rules/ptopen-attacks.rules