Published: 26/04/2019 Updated: 07/05/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 764
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Oracle WebLogic Server could allow a remote malicious user to execute arbitrary code on the system, caused by improper deserialization. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Vulnerability Trend

Affected Products

Vendor Product Versions
OracleWeblogic Server10.,

Vendor Advisories

Oracle Security Alert Advisory - CVE-2019-2725 Description This Security Alert addresses CVE-2019-2725, a deserialization vulnerability in Oracle WebLogic Server This remote code execution vulnerability is remotely exploitable without authentication, ie, may be e ...


## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Powershell def initialize(info={}) super(update_info(info, ...
#!/usr/bin/python # Exploit Title: Oracle Weblogic Exploit CVE-2019-2725 # Date: 30/04/2019 # Exploit Author: Avinash Kumar Thapa # Vendor Homepage: wwworaclecom/middleware/technologies/weblogichtml # Software Link: wwworaclecom/technetwork/middleware/downloads/indexhtml # Version: Oracle WebLogic Server, versions 103600, ...

Mailing Lists

An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a malicious SOAP request to the interface WLS AsyncResponseService to execute code on the vulnerable host ...

Github Repositories

POC-EXP 本脚本针对CVE-2019-2725weblogic 反序列化RCE漏洞,使用前请修改VPS监听地址,并在运行时提交特定的URL即可完成测试 测试地址为:192168209134:49163/_async/AsyncResponseService 修改payload参数中的监听地址和端口后: #python CVE-2019-2725py 运行后输入ip:端口号/_async/AsyncResponseService

CVE-2019-2725 weblogic命令回显+webshell上传 免责声明:本工具仅供安全测试学习用途,禁止非法使用 weblogic命令回显+webshell上传 脚本简介: 本脚本是基于weblogic 1036和1213版本进行测试,并用python3编写。 1036使用的jdk7u21的payload 1213使用的orgslf4jextEventData类二次反序列化 py依赖的第三方库 req

CVE-2019-2725 CVE-2019-2725(CNVD-C-2019-48814、WebLogic wls9-async) 命令回显


cve2019-2725_RCE - Weblogic _async remote command execution exploit cve2019_2725、CNVD-C-2019-48814 weblogic _async反序列话远程代码执行漏洞 Weblogic _async远程命令执行回显版exp,不需要安装任何库,通杀Windows&Linux。 Linux Payload用的Jason的,Windows Payload是修改的10271,javalangRuntime执行。同样使用写临时文件方

CVE-2019-2725_check CNVD-C-2019-48814_CVE-2019-2725_check、CVE-2019-2725_POC

CNTA-2019-0014-CVE-2019-2725 Usage:python3 weblogic_rcepy [url] [command] [is echo?] [win or linux] 具体分析请转:icematchawin/?p=1174


cve-2019-2725 References: Tenable - wwwtenablecom/blog/oracle-weblogic-affected-by-unauthenticated-remote-code-execution-vulnerability-cve-2019-2725 Exploit Database - wwwexploit-dbcom/exploits/46780 PaloAlto - unit42paloaltonetworkscom/muhstik-botnet-exploits-the-latest-weblogic-vulnerability-for-cryptomining-and-ddos-attacks/ SISSDEN - si

CVE-2019-2725 from secquanorg first launch

python3运行 1检测目标放在iptxt文件下,格式:192168118:7001 2直接运行脚本,存在漏洞的结果保存在oktxt文件中

CVE-2019-2725 weblogic命令回显+webshell上传

CNVD-C-2019-48814和CNNVD-201904-961 感谢t00ls-ximcx0101提供脚本 CNVD-C-2019-48814 POC Summary 相关链接如下: 清水川崎大佬的简书: wwwjianshucom/p/c4982a845f55 安全祖师爷转发: dwzcn/2GQvbUae 由于环境的一些因素路径会存在变化: 默认上传路径为: servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war

sectools 1个人安全工具开发学习,语言不限 2主要为图形化工具 -QAQ- 1源代码泄漏批量检测 2s2_045测试 3zoomeye查询,不消耗api ## 4一键子域名查询,subdomain 5weblogic cve-2019-2725漏洞检测

Th1s 1s a rep0 ab0ut h3cking scr1pts shodan 调用shodan api 统计设备数量,如weblogic shodancountpy weblogic 调用shodan api 搜索设备,如weblogic shodansearchpy weblogic SMBLoris 通过smb服务对Windows服务器实施DOS攻击 chmod +x run10sh sh run10sh httpscan 一个http简易扫描脚本 如要扫描19216800/24 httpscanpy 19216800/24 dump_ssh_passwor

CNVD-C-2019-48814和CNNVD-201904-961 感谢t00ls-ximcx0101提供脚本 CNVD-C-2019-48814 POC Summary 相关链接如下: 清水川崎大佬的简书: wwwjianshucom/p/c4982a845f55 安全祖师爷转发: dwzcn/2GQvbUae 由于环境的一些因素路径会存在变化: 默认上传路径为: servers/AdminServer/tmp/_WL_internal/bea_wls9_async_response/8tpkys/war

CNVD-C-2019-48814 work on linux and windows(CVE-2019-2725) WebLogic wls9-async反序列化远程命令执行漏漏洞 说明 It's does't work when weblogic patched for cve-2017-10271 10360 12130 基于jas502n的脚本修改而成 使用 python async_command_favicon_allpy 127001:7001 漏洞复现 1 Windows Server 2012 servers/AdminServer/tmp/_

WeblogicScan Weblogic vulnerability one-click poc detection Software Author: Tide_RabbitMask Thanks to the open source POC from the web I have only carried out the magic transformation and interface unification Disclaimer:Pia!(o ‵-′)ノ”(ノ﹏<。) This tool is for safety testing only,and should not be used for illegal use V 11 Features:

Recent Articles

GandCrab Ransomware Shutters Its Operations
Threatpost • Tara Seals • 03 Jun 2019

The GandCrab ransomware group is shutting down, according to posts on the Dark Web.
Researchers David Montenegro and Damian spotted the announcements over the weekend.

Noting that “all good things come to an end,” GandCrab’s operators in a posting on the exploit[.]in underground market claim the malware has raked in nearly $2 billion since the ransomware launched in January of last year. That encompasses ransomware-as-a-service (RaaS) earnings as well as $150 million for...

Oracle WebLogic Exploit-fest Continues with GandCrab Ransomware, XMRig
Threatpost • Tara Seals • 06 May 2019

Malicious activity exploiting the recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) is surging. Even though there’s a patch, tens of thousands of vulnerable machines represent an irresistible target for hackers, according to Unit 42 researchers at Palo Alto Networks – especially since the bug is “trivial” to exploit.
Oracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Oracle r...

Muhstik Botnet Variant Targets Just-Patched Oracle WebLogic Flaw
Threatpost • Lindsey O'Donnell • 01 May 2019

A variant of the Muhstik botnet has been uncovered in the wild, exploiting a recently-disclosed, dangerous vulnerability in Oracle WebLogic servers.
The newfound samples of Muhstik are targeting the recently-patched CVE-2019-2725 in WebLogic servers, and then launching distributed-denial-of-service (DDoS) and cryptojacking attacks with the aim of making money for the attacker behind the botnet, researchers said.
“From the timeline, we can see that the developer of Muhs...

If you're using Oracle's WebLogic Server, check for security fixes: Bug exploited in the wild to install ransomware
The Register • Iain Thomson in San Francisco • 01 May 2019

Big Red rushes out software patch as ransomware scumbags move in

IT admins overseeing Oracle's WebLogic Server installations need to get patching immediately: miscreants are exploiting what was a zero-day vulnerability in the software to pump ransomware into networks.
The Cisco Talos security team said one its customers discovered it had been infected via the bug on April 25, though the exploit is believed to have been kicking around the web since April 17. The programming blunder at the heart of the matter is a deserialization vulnerability that can be...

New ‘Sodinokibi’ Ransomware Exploits Critical Oracle WebLogic Flaw
Threatpost • Lindsey O'Donnell • 30 Apr 2019

A recently-disclosed critical vulnerability in Oracle WebLogic is being actively exploited in a slew of attacks, which are distributing a never-before-seen ransomware variant.
The recently-patched flaw exists in Oracle’s WebLogic server, used for building and deploying enterprise applications. The deserialization vulnerability (CVE-2019-2725​) is being exploited to spread what researchers with Cisco Talos in a Tuesday analysis dubbed the “Sodinokibi” ransomware.
“This is th...