Contact Contact Us


Threat actors are actively scanning publicly accessible Oracle WebLogic servers to exploit a new zero-day vulnerability (CVE-2019-2725) that allows remote code execution (RCE) without the need for authorisation. The zero-day is a deserialisation flaw in the wls9_async and the wls-wsat components, which affects all WebLogic versions. When successfully exploited, attackers can install a variety of malware such as cryptocurrency miners, ransomware and trojans, which can eventually lead to data loss or service downtime. A persistence attacker can also install legitimate tools such as PSExec and Mimikatz to steal credentials and pivot to other parts of the compromised network. It is estimated that over 36,000 WebLogic servers are affected, with the majority being enterprise servers located in China and the US. Oracle has issued an out-of-band patch for WebLogic versions 10.3.6 and 12.1.3. Organisations using a web facing Oracle WebLogic server are strongly advised to install the update. If patching is not possible, mitigate against potential attacks by deleting the wls9_async_response.war and wls-wsat.war file and restarting the WebLogic service. Thereafter, deny unauthorised access by applying access control policy for /_async/* and /wls-wsat/*.

[1] Massive eGobbler Malvertising Campaign Leverages Chrome Vulnerability to Target iOS Users

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883