Contact Contact Us


Malicious activities exploiting the recently patched Oracle WebLogic critical deserialisation vulnerability (CVE-2019-2725) are surging. Various threat groups are scanning for web-facing Oracle WebLogic deployments running the wls9_async_response.war package, a default package in WebLogic Server 10.3.6 and 12.1.3. A remote, unauthenticated user can send a HTTP request containing a crafted SOAP payload and obtain remote code execution. Successful attacks can result in infections such as the XMRig cryptominer via a PowerShell loader and the GandCrab and Sodinokibi ransomware. A botnet known as Muhstik has also incorporated the exploit for CVE-2019-2725 into its arsenal and seeks to enslave vulnerable WebLogic servers for cryptomining and to launch DDoS attacks. Organisations deploying Oracle WebLogic are strongly advised to apply the out-of-band patch released on 26 April and scan vulnerable servers for signs of compromise as the flaw was being exploited prior to the patch release.

[1] Muhstik Botnet Exploits the Latest WebLogic Vulnerability for Cryptomining and DDoS Attacks
[2] Sodinokibi Ransomware Exploits WebLogic Server Vulnerability
[3] Attackers Increasingly Targeting Oracle WebLogic Server Vulnerability for XMRig and Ransomware
[4] Oracle Security Alert Advisory - CVE-2019-2725

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883