Trend Micro reports that CVE-2019-2725 has been exploited and attackers are deploying Monero miners on vulnerable systems.

On April 17, China National Vulnerability Database (CNVD) published a security bulletin about an unauthenticated remote command execution (RCE) vulnerability in Oracle WebLogic (CVE-2019-2725).

Trend Micro is now reporting that attackers are exploiting the vulnerability to launch powershell on affected systems, and then deploying cryptocurrency miners to make some quick cash before their presence is detected.

To protect your organization from potential exploitation, Oracle has released an official fix for this vulnerability and it’s available here.

The following workaround steps are available for customers that are unable to apply the update from Oracle, and both of these steps must be performed:

1. Delete the wls9_async_response.war, wls-wsat.war packages from the WebLogic server, and restart the Weblogic service.
2. Restrict access to, or disable, the “/_async/*” and “/wls-wsat/” URL paths on the WebLogic server.

In addition, Tenable recommends reviewing your organization’s whitelist for trusted sources on your WebLogic server. At this time, known exploits for this vulnerability require the server to reach out to a malicious host. If that malicious host is not trusted, and does not appear on your organizational whitelist, this can reduce the risk of attack for currently available known exploit methods.

To learn more, please visit our blog.