alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Oracle WebLogic RCE Shell Inbound M2 (CVE-2020-14882)"; flow:established,to_server; http.uri.raw; content:"/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel="; content:"com.tangosol.coherence.mvel2.sh.ShellSession("; distance:0; within:75; http.uri; content:"com.tangosol.coherence.mvel2.sh.ShellSession("; fast_pattern; content:"java.lang.Runtime.getRuntime("; distance:0; content:".exec"; distance:0; reference:url,isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; reference:cve,2020-14882; reference:cve,2020-14883; classtype:attempted-user; sid:2031147; rev:3; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_10_30, cve CVE_2020_14882, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_05_03, reviewed_at 2024_05_07;)