Connect with us

Hi, what are you looking for?


Malware & Threats

CISA Warns of Attacks Exploiting Old Oracle WebLogic Vulnerability

CISA has added an old Oracle WebLogic flaw tracked as CVE-2017-3506 to its known exploited vulnerabilities catalog.

The US cybersecurity agency CISA on Monday added an old Oracle WebLogic flaw to its Known Exploited Vulnerabilities (KEV) catalog after it was seen being exploited by Chinese hackers to deploy cryptocurrency miners.

The vulnerability, tracked as CVE-2017-3506, affects Oracle WebLogic Server and allows an unauthenticated attacker to access or modify critical data, enabling arbitrary OS command execution. Attackers can achieve remote code execution via specially crafted HTTP requests. 

The issue was addressed by Oracle in 2017. The first signs of potential exploitation in the wild emerged in 2018, during the analysis of attacks carried out by a financially motivated threat group that was attempting to obtain payment card data from US cities that had been relying on Click2Gov software for utility bill payments.

FireEye said at the time that CVE-2017-3506 was one of the three Oracle WebLogic vulnerabilities that may have been exploited in the initial phase of the attack. 

In May 2023, Trend Micro reported that a threat group named 8220 Gang (aka 8220 Mining Group) had been exploiting this and other vulnerabilities to deploy cryptocurrency miners on Windows and Linux systems.

On May 30, 2024, Trend Micro published an update on the 8220 Gang’s activities, which the company now tracks as Water Sigbin. The cybersecurity firm said the group, which has been described as a China-based threat actor, continues to exploit CVE-2017-3506, as well as a more recent Oracle WebLogic Server flaw tracked as CVE-2023-21839.   

The cybercriminals continue to deploy cryptocurrency miners, but their techniques have evolved, making it more difficult to detect their activities and defend against their attacks, Trend micro said. 

“The Water Sigbin’s activities involving the exploitation of CVE-2017-3506 and CVE-2023-21839 underscore the adaptability of modern threat actors,” the security firm noted.

Advertisement. Scroll to continue reading.

“The use of sophisticated obfuscation techniques such as hexadecimal encoding of URLs, complex encoding within PowerShell and batch scripts, use of environment variables, and layered obfuscation to conceal malicious code within seemingly benign scripts demonstrates that Water Sigbin is a threat actor that can capably hide its tracks, making detection and prevention more challenging for security teams,” it added.

CISA added CVE-2017-3506 to its KEV catalog just days after Trend Micro published its report on Water Sigbin. The agency has instructed government organizations to address the flaw by June 24.

Related: CISA Warns of Exploited Vulnerabilities in EOL D-Link Products

Related: CISA Announces CVE Enrichment Project ‘Vulnrichment’

Related: CISA Warns of Windows Print Spooler Flaw After Microsoft Sees Russian Exploitation

Related: CISA: Second SharePoint Flaw Disclosed at Pwn2Own Exploited in Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights