WebLogic Remote Code Execution Vulnerability (CVE-2019-2725)


Oracle WebLogic is vulnerable to a new deserialization vulnerability that could allow an attacker to execute remote commands on vulnerable hosts.

This vulnerability was identified in China by China National Vulnerability Database (CNVD) published a Security Team, they have issued a bulletin about an unauthenticated remote command execution (RCE) vulnerability in Oracle WebLogic (CNVD-C-2019-48814). Oracle WebLogic Server is middleware for deploying and administering web applications. An attacker could send a request to a WebLogic Server, which would then reach out to a malicious host to complete the request, opening up the WebLogic server to an Remote Code Execution attack.


An attacker could send specially crafted XML requests to a WebLogic server, which then causes the server to execute code instructing the server to reach out to a specific malicious host to complete the request. The WebLogic server then receives another XML response from the malicious host containing additional exploit instructions.


Affected Weblogic versions

Oracle weblogic server,  Oracle webLogic Server (includes Fusion Middleware).



Oracle has released an official fix for this vulnerability and it’s available here.

The following workaround steps are available for customers that are unable to apply the update from Oracle, and both of these steps must be performed:

  1. Delete the wls9_async_response.war, wls-wsat.war packages from the WebLogic server, and restart the Weblogic service.
  2. Restrict access to, or disable, the “/_async/*” and “/wls-wsat/” URL paths on the WebLogic server.

In addition, it is recommended to upgrade WebLogic server according to your organization's vulnerability assessment as per whitelist  . At this time, known exploits for this vulnerability require the server to reach out to a malicious host. If that malicious host is not trusted, and does not appear on your organizational whitelist, this can reduce the risk of attack for currently available known exploit methods.


Follow me on Linkedin My Profile
Follow DevopsJunction onFacebook orTwitter
For more practical videos and tutorials. Subscribe to our channel

Buy Me a Coffee at ko-fi.com

Signup for Exclusive "Subscriber-only" Content