The attacks exploit CVE-2018-2893, a critical vulnerability in a component product’s middleware that allows an attacker to gain control over the entire server without having to know its password.
The attacks exploit CVE-2018-2893, a critical vulnerability in a component product’s middleware that allows an attacker to gain control over the entire server without having to know its password.

At least two separate threat groups have already developed automated exploitation scripts to exploit a recently patched vulnerability in Oracle WebLogic Servers and are conducting large-scale attacks after several proof-of-concepts were published.

The attacks exploit CVE-2018-2893, a critical vulnerability in a component product's middleware that allows an attacker to gain control over the entire server without having to know its password.

Oracle released an update to address the flaw on July 18 and details of the vulnerability were never made public, but three days later, various individuals began posting proof of concepts on how to exploit the bug on places like GitHub.

“As it happened many times in the past with many other vulnerabilities, the availability of this PoC code has led to a rise in exploitation attempts,” according to a July 24 Bleeping Computer post.

“First exploitation attempts started on Saturday, July 21, after news of the PoCs' existence spread on social media. Since then, attacks have slowly ramped up.”

Two separate groups have already automated the exploitation routine and are conducting these hacks at a large scale.

One of the groups, dubbed luoxk, is being tracked by Qihoo 360 Netlab researchers and has been spotted using DSL(Nitol) code to perform DDoS attacks, Gh0st to execute RAT, mining using XMRig,, Android malicious APK, and Exploiting RMI service in a worm style.

Researchers at ISC SANS also tracked a separate group which was attempting to use the exploit to install a backdoor in vulnerable systems.

Researchers are advising server owners to apply the Oracle July 2018 CPU updates as soon as possible, and especially the patches for CVE-2018-2893.