New zero-day RCE flaw discovered in Oracle WebLogic servers

• The flaw is tracked as a remote execution flaw and was first spotted on April 21, 2019.
• The vulnerability can allow a hacker to take over the targeted systems by remotely executing commands without authorization.

A new zero-day flaw impacting Oracle WebLogic servers has been spotted in the wild. The flaw is tracked as a remote execution flaw and was first spotted on April 21, 2019.

The big picture - In a report, researchers from a Chinese cybersecurity firm KnownSec 404 revealed that the attackers are leveraging the zero-day RCE flaw to target Oracle WebLogic server running the WLS9_ASYNC and WLS-WSAT components. The vulnerability can allow a hacker to take over the targeted systems by remotely executing commands without authorization.

“Oracle WebLogic wls9_async and wls-wsat components trigger deserialization remote command execution vulnerability. This vulnerability affects all Weblogic versions (including the latest version) that have the wls9_async_response.war and wls-wsat.war components enabled,” KnownSec 404 researcher wrote in a blog post.

Why is Oracle WebLogic server a lucrative target - Over the past few years, attackers have been targeting Oracle WebLogic servers to conduct cryptomining operations.

For example, a hacker group made over $226,000 worth of Monero in late 2017 by exploiting CVE-2017-10271 in Oracle WebLogic servers.

In addition, as the servers are often deployed in enterprise settings and connected to other enterprise systems, the WebLogic servers could also be exploited to steal sensitive data.