Cpe:2.3:a:oracle:fusion_middleware:11.1.2.0:*:*:*:*:*:*:* — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/cpes/cpe2.3aoraclefusion_middleware11.1.2.0/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 15 May 2026 22:01:21 +0000Public Exploit Available for Oracle Reports CVE-2012-3152 and CVE-2012-3153https://feed.craftedsignal.io/briefs/2026-05-oracle-reports-rwsploit/Fri, 15 May 2026 22:01:21 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-oracle-reports-rwsploit/A public exploit, rwsploit, has been released targeting CVE-2012-3152 and CVE-2012-3153 in Oracle Reports Server versions below 11g, enabling unauthenticated file read, SSRF, and JSP shell upload.A public exploit, named rwsploit, has been released targeting CVE-2012-3152 and CVE-2012-3153 affecting Oracle Reports Server versions prior to 11g. The tool automates the detection and exploitation of vulnerable Oracle Reports Server instances, enabling unauthenticated file reads (LFI), Server-Side Request Forgery (SSRF), and JSP shell uploads. The rwsploit tool, written in Python, allows operators to scan single IPs, CIDR ranges, or lists of targets, and includes features to detect the underlying operating system to tailor LFI payloads. The availability of this exploit significantly increases the risk to unpatched Oracle Reports Server instances, as exploitation can now be easily performed by attackers.

Attack Chain

  1. Attacker identifies vulnerable Oracle Reports Server instances using reconnaissance techniques such as Shodan, Censys, or Google dorks.
  2. The attacker uses rwsploit to scan the identified targets, specifying the target IP or CIDR range and desired ports.
  3. Rwsploit attempts to detect the Oracle Reports Server version by sending requests to /reports/rwservlet.
  4. The tool exploits CVE-2012-3152 to perform unauthenticated Local File Inclusion (LFI) attacks to read sensitive files. The OS is detected first to run the matching payloads.
  5. Rwsploit exploits CVE-2012-3153 to perform Server-Side Request Forgery (SSRF) attacks using the rwservlet?JOBTYPE=rwurl&URLPARAMETER= endpoint, verifying the success with webhook.site.
  6. If desired, the attacker uploads a JSP shell using the --shell option, first reading the webroot path using showenv and then writing the shell via rwservlet?report=xyzzy&destype=file&desname=&JOBTYPE=rwurl&URLPARAMETER=.
  7. Rwsploit verifies the JSP shell upload by checking the shell URL for an HTTP 200 response.
  8. The attacker uses the uploaded JSP shell to gain remote code execution on the target server.

Impact

Successful exploitation allows attackers to read sensitive files, perform SSRF attacks, and ultimately gain remote code execution on the Oracle Reports Server. This can lead to data theft, system compromise, and further lateral movement within the network. The tool’s automated nature means that attackers can efficiently scan and exploit large numbers of vulnerable systems, potentially impacting numerous organizations running older versions of Oracle Reports Server.

Recommendation

  • Apply the vendor-provided patches for CVE-2012-3152 and CVE-2012-3153 to mitigate the vulnerabilities in Oracle Reports Server versions below 11g.
  • Deploy the Sigma rule “Detect Oracle Reports rwservlet Path Traversal Attempt” to identify attempts to exploit CVE-2012-3152 in web server logs.
  • Monitor network traffic for unusual outbound connections from Oracle Reports Server, especially to external URLs, to detect potential SSRF attacks related to CVE-2012-3153.
  • Use the provided Shodan, FOFA, Censys, and Google dorks to identify potentially vulnerable Oracle Reports Server instances within your network or exposed to the internet.
  • Enable Sysmon process creation logging to facilitate detection of suspicious processes spawned from the Oracle Reports Server process.
]]>highthreatoraclereports servercve-2012-3152cve-2012-3153lfissrfjsp shellrwsploit