ALERT: Oracle WebLogic Server Zero-day (CVE-2019-2725) in the wild

Oracle released the quarterly critical patch updates in April 2019. And in less than a week, a zero-day was found exploiting in-the-wild. The vulnerability exists in Oracle Weblogic Server which has been targeted repeatedly due to its popularity and access to huge business sensitive information.

What is the issue?

A remote code execution vulnerability exists in Oracle Weblogic Sever. This vulnerability has been identified as CVE-2019-2725. This vulnerability was reported by KnownSec 404 Team. And, SANS ISC InfoSec Forums observed active attacks trying to install crypto coin miners.

Processing of untrusted input is one of the major techniques through which attackers find their way inside systems. The issue here is that of insecure deserialization. The flaw exists in the wls9_async_response package. The components wls9_async and wls-wsat trigger the vulnerability. An attacker can input a serialized maliciously crafted file. Upon processing, this file is deserialised and can execute the malicious content inside it with elevated privileges.

image credit:

Affected Products:

The vulnerability affects these versions of the application:

  • Weblogic
  • WebLogic


A remote attacker can execute arbitrary code on the target machine by giving a specially crafted file as input.


Oracle has released an out-of-band security update to deal with the vulnerability. Also, Oracle advises that the patches be applied at the earliest due to the severity of the issue.

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments