Priority: Critical

Executive Summary: A new critical vulnerability has been discovered that affects several versions of the Oracle WebLogic server. The bug has classed as critical-level security risk and has a CVSS Base Score of 9.8. The vulnerability has already been exploited in the wild by several unknown hacker groups.

This security update highlights a deserialization vulnerability in the XMLDecoder within the Oracle WebLogic server. This new exploitation technique allows attackers to remotely run arbitrary commands on the affected servers by simply sending a specially crafted HTTP request. This remote code execution (RCE) flaw does not require any form of authentication/remote access credentials in order to be leveraged.

The new critical flaw is related to the previous 0-day vulnerability (CVE-2019-2725) discovered in April 2019 which has been patched. This previous vulnerability has been exploited in several attack variations such as; “Sodinokibi” and “GraandCrab ransomware as well as the “XMRIG” cryptocurrency mining malware attacks. Both critical vulnerabilities rely on the deserialization process in XMLDecoder.

Detect: Any Oracle WebLogic servers which have not already been updated will be affected by this vulnerability. ITC customers who are subscribed to the ITC VI service can request a scan to identify affected operating.

Affected Products: Oracle WebLogic Server, versions;,,

Prevent: Due to the severity of this vulnerability, ITC strongly recommends that customers apply the updates provided by the Oracle Security Alert Advisory – CVE-2019-2729.

React: Oracle have released an emergency software update and patches for CVE-2019-2729. It is advised that these updates are applied and installed as soon as possible. If patching is not currently possible, the temporary mitigations for CVE-2019-2725 are applicable:

  • Delete the wls9_async_response.war, wls-wsat.war packages from the WebLogic server, and restart the Weblogic service
  • Restrict or disable access to the “/_async/*” and “/wls-wsat/” URL paths on the WebLogic server


Oracle Patched Another Zero-Day Vulnerability that Can be Exploited Without Authentication