[KnownSec 404 Team] Oracle WebLogic Deserialization RCE Vulnerability (0day) Alert(update on 26th April)

Knownsec 404 team
2 min readApr 21, 2019

by KnownSec 404 Team


The remote Oracle WebLogic server is affected by a remote code execution vulnerability(0day).


Oracle WebLogic wls9_async and wls-wsat components trigger deserialization remote command execution vulnerability.This vulnerability affects all Weblogic versions (including the latest version) that have the wls9_async_response.war and wls-wsat.war components enabled.

By the time this alert was issued, the official still did not release the corresponding fix, which is a “0day” vulnerability. An attacker could exploit this vulnerability to remotely execute commands without authorization. And currently we have reported the details to the Oracle WebLogic official.

Impact in cyberspace

ZoomEye is a famous cyberspace search engine and have 101,040 results about Oracle WebLogic server,there are 36,173 results on 2019.Most of them are distributed in the US and China.

Temporary Solution

Scenario-1: Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service

Scenario-2: Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control.


[1] About Oracle WebLogic https://www.oracle.com/middleware/weblogic/index.html
[2] April 17 CNVD releases vulnerability announcement http://www.cnvd.org.cn/webinfo/show/4989
[3] Seebug vulnerability record https://www.seebug.org/vuldb/ssvid-97920
[4] Zoomeye search engine Dork https://www.zoomeye.org/searchResult?q=weblogic


For this vulnerability, Oracle broke the regular patch process, and launched an independent emergency patch on 26th April,2019. The vulnerability CVSS score 9.8.




Knownsec 404 team

404 Team, the core team from a well-known security company Knowsec in China. Twitter:@seebug_team Youtube: @404team knownsec Email:zoomeye@knownsec.com