WebLogic Deserialization RCE vulnerability and its widespread use among the attackers

• The vulnerability can allow an attacker to take control of the targeted systems by remotely executing commands without authorization.
• The flaw was first spotted on April 21, 2019.

Lately, a zero-day vulnerability discovered in Oracle’s WebLogic Server was widely used by cybercriminals to distribute a variety of malware. The vulnerability was detected as a deserialization remote code execution vulnerability (CVE-2019-2725).

About CVE-2019-2725

CVE-2019-2725 is a deserialization remote code execution vulnerability that affects all WebLogic versions that have the wls9_async_response.warand wls-wsat.war components enabled. The vulnerability can allow an attacker to take control of the targeted systems by remotely executing commands without authorization.

The flaw was first spotted on April 21, 2019.

How widely are the attackers abusing the flaw?

Since the discovery of the vulnerability, security researchers have found several instances of exploitation of the vulnerability.

• Researchers from Cisco Talos found a campaign where attackers were exploiting CVE-2019-2725 to distribute a new variant of ransomware called Sodinokibi.
• In another report, researchers from Palo Alto’s Unit 42 Networks had reported of distribution of a new variant of Muhstik botnet by abusing the deserialization vulnerability.
• Attackers also distributed a variant of GandCrab ransomware and an XMRig miner by exploiting the vulnerability.

Other vulnerabilities of WebLogic Server also abused

The latest deserialization RCE vulnerability is not the only flaw that has been exploited by attackers. In the past, hackers had aimed CVE-2018-2628, CVE-2018-2893, and CVE-2017-10271 to launch attacks.

A hackers group had made over $226,000 worth of Monero in late 2017 by exploiting CVE-2017-10271. The flaw existed in the Oracle WebLogic Server component of Oracle Middleware.

In early 2018, hackers were scanning the internet to take over machines running Oracle WebLogic servers impacted by CVE-2018-2628.

Hacking attempts were also made by abusing CVE-2018-2893 vulnerability that could allow an attacker to gain control over the entire server without authentication.

Staying safe

Oracle has released security patches to fix the deserialization RCE vulnerability. Users are advised to apply updates only for products that are covered under Premier Support or Extended Support phases of the Lifetime Support Policy.