Oracle acknowledged actively exploited security vulnerability in its popular and widely deployed WebLogic servers. Although the company has issued a patch, users must update their systems at the earliest because the WebLogic zero-day bug is presently under active exploitation. The security flaw has been tagged with “critical severity” level. The Common Vulnerability Scoring System score or CVSS base score is an alarming 9.8.

Oracle recently addressed a critical vulnerability affecting its WebLogic servers. The critical WebLogic zero-day vulnerability threatens users’ online security. The bug can potentially allow a remote attacker to gain complete administrative control of the victim or target devices. If that’s not concerning enough, once inside, the remote attacker can easily execute arbitrary code. The deployment or activation of the code can be done remotely. Although Oracle has quickly issued a patch for the system, it is up to the server administrators to deploy or install the update as this WebLogic zero-day bug is considered to be under active exploitation.

The Security Alert advisor from Oracle, officially tagged as CVE-2019-2729 mentions the threat is, “deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.”

The CVE-2019-2729 security vulnerability has earned a critical severity level. The CVSS base score of 9.8 is usually reserved for the most severe and critical security threats. In other words, WebLogic server administrators must prioritize the deployment of the patch issued by Oracle.

Oracle WebLogic Remote Code Execution (CVE-2019-2729): #security

— F5 DevCentral (@devcentral) June 25, 2019

A recently conducted study by Chinese KnownSec 404 Team claims the security vulnerability is being actively pursued or used. The team strongly feels the new exploit is essentially a bypass for the patch of a previously known bug officially tagged as CVE-2019–2725. In other words, the team feels Oracle might have inadvertently left a loophole within the last patch that was meant to address a previously discovered security flaw. However, Oracle has officially clarified that the just addressed security vulnerability is completely unrelated to the previous one. In a blog post meant to offer clarification about the same, John Heimann, VP Security Program Management, noted, “Please note that while the issue addressed by this alert is deserialization vulnerability, like that addressed in Security Alert CVE-2019-2725, it is a distinct vulnerability.”

The vulnerability can be easily exploited by an attacker with network access. The attacker merely requires access via HTTP, one of the most common networking pathways. The attackers don’t need authentication credentials to exploit the vulnerability over a network. The exploitation of the vulnerability can potentially result in the takeover of the targeted Oracle WebLogic servers.

Weblogic XMLDecoder RCEstart from CVE-2017-3506, end at CVE-2019-2729. We drive Oracle crazy ,finally they utilize WHITELIST to fix.

— pyn3rd (@pyn3rd) June 20, 2019

Which Oracle WebLogic Servers Remain Vulnerable To CVE-2019-2729?

Irrespective of the correlation or connection to the previous security bug, several security researchers actively reported the new WebLogic zero-day vulnerability to Oracle. According to researchers, the bug reportedly affects Oracle WebLogic Server versions,,

Interestingly, even before Oracle issued the security patch, there were a few workarounds for system administrators. Those who wished to quickly protect their systems were offered two separate solutions which could still work:

Scenario-1:  Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service. Scenario-2: Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control.

Security researchers were able to discover about 42,000 Internet-accessible WebLogic servers. Needless to mention, the majority of attackers looking to exploit the vulnerability are targeting corporate networks. The primary intention behind the attack appears to be dropping crypto-mining malware. Servers have some of the most powerful computing power and such malware discreetly uses the same to mine cryptocurrency. Some reports indicate attackers are deploying Monero-mining malware. Attackers were even known to have used certificate files to hide the malware variant’s malicious code. This is a quite common technique to evade detection by anti-malware software.