Published: 26/04/2019 Updated: 07/05/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 766
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Oracle WebLogic Server could allow a remote malicious user to execute arbitrary code on the system, caused by improper deserialization. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Vulnerability Trend

Affected Products

Vendor Product Versions
OracleWeblogic Server10.,

Vendor Advisories

Oracle Security Alert Advisory - CVE-2019-2725 Description This Security Alert addresses CVE-2019-2725, a deserialization vulnerability in Oracle WebLogic Server This remote code execution vulnerability is remotely exploitable without authentication, ie, may be e ...


## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Powershell def initialize(info={}) super(update_info(info, ...
#!/usr/bin/python # Exploit Title: Oracle Weblogic Exploit CVE-2019-2725 # Date: 30/04/2019 # Exploit Author: Avinash Kumar Thapa # Vendor Homepage: wwworaclecom/middleware/technologies/weblogichtml # Software Link: wwworaclecom/technetwork/middleware/downloads/indexhtml # Version: Oracle WebLogic Server, versions 103600, ...

Mailing Lists

An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host ...

Github Repositories

POC-EXP 本脚本针对CVE-2019-2725weblogic 反序列化RCE漏洞,使用前请修改VPS监听地址,并在运行时提交特定的URL即可完成测试 测试地址为:192168209134:49163/_async/AsyncResponseService 修改payload参数中的监听地址和端口后: #python CVE-2019-2725py 运行后输入ip:端口号/_async/AsyncResponseService

CVE-2019-2725 CVE-2019-2725(CNVD-C-2019-48814、WebLogic wls9-async) 命令回显

CVE-2019-2725 weblogic命令回显+webshell上传 免责声明:本工具仅供安全测试学习用途,禁止非法使用 weblogic命令回显+webshell上传 脚本简介: 本脚本是基于weblogic 1036和1213版本进行测试,并用python3编写。 1036使用的jdk7u21的payload 1213使用的orgslf4jextEventData类二次反序列化 py依赖的第三方库 req


cve2019-2725_RCE - Weblogic _async remote command execution exploit cve2019_2725、CNVD-C-2019-48814 weblogic _async反序列话远程代码执行漏洞 Weblogic _async远程命令执行回显版exp,不需要安装任何库,通杀Windows&Linux。 Linux Payload用的Jason的,Windows Payload是修改的10271,javalangRuntime执行。同样使用写临时文件方

CVE-2019-2725_check CNVD-C-2019-48814_CVE-2019-2725_check、CVE-2019-2725_POC

CNTA-2019-0014-CVE-2019-2725 Usage:python3 weblogic_rcepy [url] [command] [is echo?] [win or linux] 具体分析请转:icematchawin/?p=1174

cve-2019-2725 References: Tenable - wwwtenablecom/blog/oracle-weblogic-affected-by-unauthenticated-remote-code-execution-vulnerability-cve-2019-2725 Exploit Database - wwwexploit-dbcom/exploits/46780 PaloAlto - unit42paloaltonetworkscom/muhstik-botnet-exploits-the-latest-weblogic-vulnerability-for-cryptomining-and-ddos-attacks/ SISSDEN - si

CVE-2019-2725 from secquanorg first launch


CVE-2019-2725 CVE-2019-2725 weblogic 回显版本 POC 以及exp exp支持单个命令回显 poc支持批量认证 payload 采用 githubcom/jiansiting/CVE-2019-2725 经测试成功与否与jdk有关 有些可能有漏洞却无法利用

python3运行 1检测目标放在iptxt文件下,格式:192168118:7001 2直接运行脚本,存在漏洞的结果保存在oktxt文件中

CVE-2019-2725 weblogic命令回显+webshell上传

weblogic_test to test weblogic cve-2017-10217, cve-2019-2725 and cve-2019-2715(bypass)

sectools 1个人安全工具开发学习,语言不限 2主要为图形化工具 -QAQ- 1源代码泄漏批量检测 2s2_045测试 3zoomeye查询,不消耗api ## 4一键子域名查询,subdomain 5weblogic cve-2019-2725漏洞检测

CNVD-C-2019-48814和CNNVD-201904-961 感谢t00ls-ximcx0101提供脚本 CNVD-C-2019-48814 POC Summary 相关链接如下: 清水川崎大佬的简书: wwwjianshucom/p/c4982a845f55 安全祖师爷转发: dwzcn/2GQvbUae 由于环境的一些因素路径会存在变化: 默认上传路径为: servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war

Th1s 1s a rep0 ab0ut h3cking scr1pts shodan 调用shodan api 统计设备数量,如weblogic shodancountpy weblogic 调用shodan api 搜索设备,如weblogic shodansearchpy weblogic SMBLoris 通过smb服务对Windows服务器实施DOS攻击 chmod +x run10sh sh run10sh httpscan 一个http简易扫描脚本 如要扫描19216800/24 httpscanpy 19216800/24 dump_ssh_passwor

CNVD-C-2019-48814和CNNVD-201904-961 感谢t00ls-ximcx0101提供脚本 CNVD-C-2019-48814 POC Summary 相关链接如下: 清水川崎大佬的简书: wwwjianshucom/p/c4982a845f55 安全祖师爷转发: dwzcn/2GQvbUae 由于环境的一些因素路径会存在变化: 默认上传路径为: servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war

CNVD-C-2019-48814 work on linux and windows(CVE-2019-2725) WebLogic wls9-async反序列化远程命令执行漏漏洞 说明 It's does't work when weblogic patched for cve-2017-10271 10360 12130 基于jas502n的脚本修改而成 使用 python async_command_favicon_allpy 127001:7001 漏洞复现 1 Windows Server 2012 servers/AdminServer/tmp/_

Weblogic漏洞测试脚本 使用python3编写 为了测试方便自己写的一些测试脚本还没有写完,有空在改。 asyncBypasspy是jdk16的CVE-2019-2729批量检测脚本。 CVE-2019-2618py是漏洞单独检测脚本。 checkpy是集成检测脚本。 check脚本目前支持检测内容如下 uddiSSRF CVE-2017-10271 CVE-2018-2894 CVE-2019-2618 CVE-2019-2725

WeblogicScan Weblogic vulnerability one-click poc detection Software Author: Tide_RabbitMask Thanks to the open source POC from the web I have only carried out the magic transformation and interface unification Disclaimer:Pia!(o ‵-′)ノ”(ノ﹏<。) This tool is for safety testing only,and should not be used for illegal use V 11 Features:

项目简介 信息收集、攻击尝试获得权限、持久性控制、权限提升、网络信息收集、横向移动、数据分析(在这个基础上再做持久化控制)、擦屁股。 安全相关资源列表 arxivorg 康奈尔大学(Cornell University)开放文档 githubcom/sindresorhus/awesome awesome系列 wwwowasporgcn/ow

Recent Articles

Using Oracle WebLogic? Put down your coffee, drop out of Discord, grab this patch right now: Vuln under attack
The Register • Shaun Nichols in San Francisco • 19 Jun 2019

Emergency security fix emitted for remote code exec hole exploited in the wild

Oracle has issued an emergency critical update to address a remote code execution vulnerability in its WebLogic Server component for Fusion Middleware – a flaw miscreants are exploiting in the wild to hijack systems.
The programming blunder, designated CVE-2019-2729, is present in WebLogic Server versions,, and The vulnerability itself is caused by a deserialization bug in the XMLDecoder for WebLogic Server Web Services.
When exploited, a remote at...

Oracle Warns of New Actively-Exploited WebLogic Flaw
Threatpost • Lindsey O'Donnell • 19 Jun 2019

Oracle said that a critical remote code execution flaw in its WebLogic Server is being actively exploited in the wild.
The remote code execution flaw (CVE-2019-2729) impacts a number of versions of Oracle’s WebLogic Server, used for building and deploying enterprise applications. The vulnerability has a CVSS score of 9.8 out of 10. Part of its seriousness is because it is remotely exploitable without authentication.
“Due to the severity of this vulnerability, Oracle strongly reco...

Oracle Fixes Critical Bug in WebLogic Server Web Services
BleepingComputer • Ionut Ilascu • 19 Jun 2019

Oracle on Tuesday announced a patch for a remote code execution vulnerability affecting specific versions of the WebLogic Server. The bug bypasses a previously fixed flaw and researchers say it is actively used in attacks.
The issue is now tracked CVE-2019-2729 and it is deserialization via XMLDecoder in Oracle WebLogic Server Web Services. This is the same as CVE-2019-2725, patched in April, leveraged in past attacks to deliver Sodinokibi ransomware and cryptocurrency miners. It is also ...

GandCrab Ransomware Shutters Its Operations
Threatpost • Tara Seals • 03 Jun 2019

The GandCrab ransomware group is shutting down, according to posts on the Dark Web.
Researchers David Montenegro and Damian spotted the announcements over the weekend.

Noting that “all good things come to an end,” GandCrab’s operators in a posting on the exploit[.]in underground market claim the malware has raked in nearly $2 billion since the ransomware launched in January of last year. That encompasses ransomware-as-a-service (RaaS) earnings as well as $150 million for...

Oracle WebLogic Exploit-fest Continues with GandCrab Ransomware, XMRig
Threatpost • Tara Seals • 06 May 2019

Malicious activity exploiting the recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) is surging. Even though there’s a patch, tens of thousands of vulnerable machines represent an irresistible target for hackers, according to Unit 42 researchers at Palo Alto Networks – especially since the bug is “trivial” to exploit.
Oracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Oracle r...

Muhstik Botnet Variant Targets Just-Patched Oracle WebLogic Flaw
Threatpost • Lindsey O'Donnell • 01 May 2019

A variant of the Muhstik botnet has been uncovered in the wild, exploiting a recently-disclosed, dangerous vulnerability in Oracle WebLogic servers.
The newfound samples of Muhstik are targeting the recently-patched CVE-2019-2725 in WebLogic servers, and then launching distributed-denial-of-service (DDoS) and cryptojacking attacks with the aim of making money for the attacker behind the botnet, researchers said.
“From the timeline, we can see that the developer of Muhs...

If you're using Oracle's WebLogic Server, check for security fixes: Bug exploited in the wild to install ransomware
The Register • Iain Thomson in San Francisco • 01 May 2019

Big Red rushes out software patch as ransomware scumbags move in

IT admins overseeing Oracle's WebLogic Server installations need to get patching immediately: miscreants are exploiting what was a zero-day vulnerability in the software to pump ransomware into networks.
The Cisco Talos security team said one its customers discovered it had been infected via the bug on April 25, though the exploit is believed to have been kicking around the web since April 17. The programming blunder at the heart of the matter is a deserialization vulnerability that can be...

New ‘Sodinokibi’ Ransomware Exploits Critical Oracle WebLogic Flaw
Threatpost • Lindsey O'Donnell • 30 Apr 2019

A recently-disclosed critical vulnerability in Oracle WebLogic is being actively exploited in a slew of attacks, which are distributing a never-before-seen ransomware variant.
The recently-patched flaw exists in Oracle’s WebLogic server, used for building and deploying enterprise applications. The deserialization vulnerability (CVE-2019-2725​) is being exploited to spread what researchers with Cisco Talos in a Tuesday analysis dubbed the “Sodinokibi” ransomware.
“This is th...

Sodinokibi Ransomware Being Installed on Exploited WebLogic Servers
BleepingComputer • Lawrence Abrams • 30 Apr 2019

Attackers are exploiting a recently disclosed WebLogic vulnerability to install a new ransomware called Sodinokibi. As this vulnerability is trivial to exploit, it is important that server admins install the patch immediately in order to prevent infections or unauthorized access.
Earlier this month, a deserialization vulnerability (CVE-2019-2725) was discovered in Oracle WebLogic Server that allows attackers to gain full access to the server in order to install malware or use it as a l...