Lately, a zero-day vulnerability discovered in Oracle’s WebLogic Server was widely used by cybercriminals to distribute a variety of malware. The vulnerability was detected as a deserialization remote code execution vulnerability (CVE-2019-2725).
About CVE-2019-2725
CVE-2019-2725 is a deserialization remote code execution vulnerability that affects all WebLogic versions that have the wls9_async_response.warand wls-wsat.war components enabled. The vulnerability can allow an attacker to take control of the targeted systems by remotely executing commands without authorization.
The flaw was first spotted on April 21, 2019.
How widely are the attackers abusing the flaw?
Since the discovery of the vulnerability, security researchers have found several instances of exploitation of the vulnerability.
Other vulnerabilities of WebLogic Server also abused
The latest deserialization RCE vulnerability is not the only flaw that has been exploited by attackers. In the past, hackers had aimed CVE-2018-2628, CVE-2018-2893, and CVE-2017-10271 to launch attacks.
A hackers group had made over $226,000 worth of Monero in late 2017 by exploiting CVE-2017-10271. The flaw existed in the Oracle WebLogic Server component of Oracle Middleware.
In early 2018, hackers were scanning the internet to take over machines running Oracle WebLogic servers impacted by CVE-2018-2628.
Hacking attempts were also made by abusing CVE-2018-2893 vulnerability that could allow an attacker to gain control over the entire server without authentication.
Staying safe
Oracle has released security patches to fix the deserialization RCE vulnerability. Users are advised to apply updates only for products that are covered under Premier Support or Extended Support phases of the Lifetime Support Policy.
Publisher