New Weblogic 0day (More Metasploit Modules)

This time, a short review.

The last Sunday (April 21st), KnownSec 404 Team issued an alert about a new vulnerability that has been exploited in the wild, a 0day for Weblogic, as usual, a deserialization vulnerability, this time in one of its components deployed as a web service (wls9_async and wls-wsat). Some days later (April 23rd), China National Vulnerability Database[1] and time then (April 25th) Oracle, released a Critical Patch Update Advisory[2] about multiple vulnerabilities some of them related.

Reviewing in a bit more detail the technical information about the vulnerabilities [3], we realize that it was a bug straightforward to exploit since it is an XML serialization vulnerability very similar to some of those that appeared a couple of years ago for the same web container.

<soapenv:Envelope xmlns:soapenv=""
<work:WorkContext xmlns:work="">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<void index="1">
<void index="2">
<void method="start"/>

Knowing this, we set out to carry out some tests and that day (April 25th), We had a Metasploit module ready to exploit the vulnerability as you can see in the pull requests [4].

Then, the next day Oracle released an emergency Security Alert Advisory warning about the vulnerability (CVE-2019-2725[5]

we want to encourage the community to support the Metasploit project actively. It is an excellent tool that helps us in the pen-testing work.