Actively exploited vulnerability

CVE-2017-3506: Oracle WebLogic Server OS Command Injection Vulnerability

Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document.

CISA KEV source 3 Jun 2024 added 24 Jun 2024 remediation due

Affected product

Oracle · WebLogic Server

Known ransomware use: Unknown

Required action

Follow the source advisory and validate exposure in your environment.

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Related Yasna coverage

Recent reporting that mentions CVE-2017-3506.

Trend Micro Research, News and Perspectives30 May 2024

Decoding Water Sigbin's Latest Obfuscation Tricks

Water Sigbin (aka the 8220 Gang) exploited the Oracle WebLogic vulnerabilities CVE-2017-3506 and CVE-2023-21839 to deploy a cryptocurrency miner using a PowerShell script. The threat actor also adopted new techniques to conceal its activities, making attacks harder to defend against.

Trend Micro Research, News and Perspectives16 May 2023

8220 Gang Evolves With New Strategies

We observed the threat actor group known as “8220 Gang” employing new strategies for their respective campaigns, including exploits for the Linux utility “lwp-download” and CVE-2017-3506, an Oracle WebLogic vulnerability.