Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Weblogic Exploit Code Made Public (CVE-2018-2893) - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Weblogic Exploit Code Made Public (CVE-2018-2893)

[UPDATE] We do see first exploit attempts. The exploit attempts to download additional code from . We are still looking at details, but it looks like the code attempts to install a backdoor. The initial exploit came from

Possible exploit code:

On 18-JUL-2018 Oracle released a Critical Patch Update (  Yesterday exploit targeting CVE-2018-2893 impacting Oracle Weblogic Server appeared publicly. 

Scanning activity targeting port 7001 peaked in May of 2018 when another Weblogic vulnerability went public, unsurprisingly it was used to install crypto miners then (


Kevin Liston

292 Posts
ISC Handler
Jul 20th 2018

Sign Up for Free or Log In to start participating in the conversation!