For more than a week hackers have started scanning the Internet, searching for machines running Oracle WebLogic servers.
Scans started after April 17, when Oracle published its quarterly Critical Patch Update (CPU) security advisory.
The
April 2018 CPU contained a patch for CVE-2018-2628, a vulnerability in the WLS core component of WebLogic, a Java EE application server.
This security issue received a severity score of 9.8 out of 10 because it could allow attackers to execute code on remote WebLogic servers without needing to authenticate.
PoC published online last week
The flaw was discovered and reported by Liao Xinxi of NSFOCUS Security Team and an independent security researcher named loopx9.
A day after the Oracle patches, Xinxi published a
blog post on a Chinese social network, explaining how the vulnerability works. Leveraging this info, a user named Brianwrf created and released proof-of-concept (PoC) code
on GitHub that could exploit this flaw.
The publishing of a fully-weaponized PoC led to an immediate spike in scans for port 7001, the port running the vulnerable WebLogic "T3" service.