BLOG: 12 Vulnerabilities of Christmas – CVE -2019-2725
CVE-2019-2725 is a vulnerability that targets Oracle WebLogic Server versions 10.3.6.0 and 12.1.3.0. It was disclosed on 21 April 2019 by the Knownsec 404 Team and later addressed by Oracle in a security alert, on 26 April 2019. The earliest proof of concept was posted on GitHub on 2 May 2019. Oracle released a critical patch about a week later. Orpheus has attributed CVE-20189-2725 with an Orpheus Vulnerability Score of 100/100 due to the ease of exploit and the possibility it grants threat actors to remotely execute code and launch attacks, such as ransomware and cryptomining campaigns.
Background
CVE-2019-2725 is a deserialization vulnerability in Oracle WebLogic, a Java EE application server which allows users to build, develop and deploy internet facing enterprise applications. This vulnerability affected all versions that have the wls9_async_response.war and wls-wsat.war components enabled.
This CVE is easily exploitable by threat actors, enabling remote code execution without authentication nor user interaction. The fact that the applications hosted on WebLogic are internet facing allows threat actors with network access via HTTP to compromise vulnerable Oracle WebLogic servers. There are two Metasploit modules available for remote code execution by targeting port 7001. Due to the low complexity of the attack and its potential impact on a vulnerable organisation making it attractive to threat actors. Moreover, it affects all three components of the CIA triad – confidentiality, availability and integrity.
In the days prior to Oracle issuing the patch, there was a reported increase on WebLogic attack activity, with threat actors probing the vulnerable servers prior to launching attacks. Within this same week in April, proof-of-concept code for this CVE was also published on GitHub, making it readily available to any potential malicious actor. We also reported on this vulnerability being exploited to deploy Sodinokibi and GandCrab ransomware, demonstrating the vulnerability’s potential for facilitating rapid lateral movement for ransomware operators.. Furthermore, it has been exploited in Monero mining campaigns, infection of cloud servers by the Muhstik botnet, and for deploying Golang-based remote access trojans. Targeted organisations include organisations in the following sectors: telecommunications, technology, government, healthcare and manufacturing.
Mitigation
Due to the severity of the vulnerability, we recommend organisations respect the following mitigation guidelines:
Restrict traffic to vulnerable hosts to only trusted devices
This concludes our 12 vulns of Christmas blog series, which examined 12 high-severity CVEs, their past and present exploitation by threat actors, and mitigation advice for organisations with vulnerable hosts. Using OVS scores, Orpheus analysts have been able to prioritise threat intelligence reporting on these vulnerabilities. You can read the previous editions here:
Get our latest cyber intelligence insights straight into your inbox
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.
