{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3aoraclefusion_middleware11.1.2.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:oracle:fusion_middleware:11.1.1.4.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:fusion_middleware:11.1.1.6.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:fusion_middleware:11.1.2.0:*:*:*:*:*:*:*"],"_cs_cves":[{"id":"CVE-2012-3153"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Reports Server"],"_cs_severities":["high"],"_cs_tags":["oracle","reports server","cve-2012-3152","cve-2012-3153","lfi","ssrf","jsp shell","rwsploit"],"_cs_type":"threat","_cs_vendors":["Oracle"],"content_html":"\u003cp\u003eA public exploit, named rwsploit, has been released targeting CVE-2012-3152 and CVE-2012-3153 affecting Oracle Reports Server versions prior to 11g. The tool automates the detection and exploitation of vulnerable Oracle Reports Server instances, enabling unauthenticated file reads (LFI), Server-Side Request Forgery (SSRF), and JSP shell uploads. The rwsploit tool, written in Python, allows operators to scan single IPs, CIDR ranges, or lists of targets, and includes features to detect the underlying operating system to tailor LFI payloads. The availability of this exploit significantly increases the risk to unpatched Oracle Reports Server instances, as exploitation can now be easily performed by attackers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies vulnerable Oracle Reports Server instances using reconnaissance techniques such as Shodan, Censys, or Google dorks.\u003c/li\u003e\n\u003cli\u003eThe attacker uses rwsploit to scan the identified targets, specifying the target IP or CIDR range and desired ports.\u003c/li\u003e\n\u003cli\u003eRwsploit attempts to detect the Oracle Reports Server version by sending requests to \u003ccode\u003e/reports/rwservlet\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe tool exploits CVE-2012-3152 to perform unauthenticated Local File Inclusion (LFI) attacks to read sensitive files. The OS is detected first to run the matching payloads.\u003c/li\u003e\n\u003cli\u003eRwsploit exploits CVE-2012-3153 to perform Server-Side Request Forgery (SSRF) attacks using the \u003ccode\u003erwservlet?JOBTYPE=rwurl\u0026amp;URLPARAMETER=\u003c/code\u003e endpoint, verifying the success with webhook.site.\u003c/li\u003e\n\u003cli\u003eIf desired, the attacker uploads a JSP shell using the \u003ccode\u003e--shell\u003c/code\u003e option, first reading the webroot path using \u003ccode\u003eshowenv\u003c/code\u003e and then writing the shell via \u003ccode\u003erwservlet?report=xyzzy\u0026amp;destype=file\u0026amp;desname=\u0026amp;JOBTYPE=rwurl\u0026amp;URLPARAMETER=\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRwsploit verifies the JSP shell upload by checking the shell URL for an HTTP 200 response.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the uploaded JSP shell to gain remote code execution on the target server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to read sensitive files, perform SSRF attacks, and ultimately gain remote code execution on the Oracle Reports Server. This can lead to data theft, system compromise, and further lateral movement within the network. The tool\u0026rsquo;s automated nature means that attackers can efficiently scan and exploit large numbers of vulnerable systems, potentially impacting numerous organizations running older versions of Oracle Reports Server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-provided patches for CVE-2012-3152 and CVE-2012-3153 to mitigate the vulnerabilities in Oracle Reports Server versions below 11g.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Oracle Reports rwservlet Path Traversal Attempt\u0026rdquo; to identify attempts to exploit CVE-2012-3152 in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual outbound connections from Oracle Reports Server, especially to external URLs, to detect potential SSRF attacks related to CVE-2012-3153.\u003c/li\u003e\n\u003cli\u003eUse the provided Shodan, FOFA, Censys, and Google dorks to identify potentially vulnerable Oracle Reports Server instances within your network or exposed to the internet.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to facilitate detection of suspicious processes spawned from the Oracle Reports Server process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T22:01:21Z","date_published":"2026-05-15T22:01:21Z","id":"https://feed.craftedsignal.io/briefs/2026-05-oracle-reports-rwsploit/","summary":"A public exploit, rwsploit, has been released targeting CVE-2012-3152 and CVE-2012-3153 in Oracle Reports Server versions below 11g, enabling unauthenticated file read, SSRF, and JSP shell upload.","title":"Public Exploit Available for Oracle Reports CVE-2012-3152 and CVE-2012-3153","url":"https://feed.craftedsignal.io/briefs/2026-05-oracle-reports-rwsploit/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:oracle:fusion_middleware:11.1.2.0:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}