CVE-2019-2729

CRITICAL EXPLOITED IN THE WILD RANSOMWARE NUCLEI

Oracle Communications Diameter Signaling Router - Unauthenticated Remote Code Execution via HTTP

Title source: llm

Exploitation Summary

CVE-2019-2729 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io), including in ransomware campaigns. EIP tracks 6 public exploits from researchers including james, ruthlezs, waffl3ss. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages CVE-2019-2729, a deserialization vulnerability in Oracle WebLogic Server, to achieve remote command execution. It generates a malicious payload using msfvenom and sends it via a crafted SOAP request to trigger the vulnerability.

Description

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Exploits (6)

exploitdb WORKING POC

by james · pythonwebappsjava

https://www.exploit-db.com/exploits/47895

View Code ZIP pw:eip

This exploit leverages CVE-2019-2729, a deserialization vulnerability in Oracle WebLogic Server, to achieve remote command execution. It generates a malicious payload using msfvenom and sends it via a crafted SOAP request to trigger the vulnerability.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0

No auth needed

Prerequisites: Network access to the target WebLogic Server · msfvenom for payload generation

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 46 stars

by ruthlezs · remote

https://github.com/ruthlezs/CVE-2019-2729-Exploit

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-2729, a deserialization vulnerability in Oracle WebLogic Server. The exploit sends a crafted SOAP request to the vulnerable endpoint to achieve remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Oracle WebLogic Server

No auth needed

Prerequisites: Network access to the vulnerable WebLogic Server · Vulnerable endpoint exposed

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 7 stars

by waffl3ss · remote-auth

https://github.com/waffl3ss/CVE-2019-2729

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-2729, a deserialization vulnerability in Oracle WebLogic Server. The exploit leverages crafted SOAP requests to achieve remote code execution (RCE) by embedding malicious payloads in the 'lfcmd' header.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Oracle WebLogic Server (versions affected by CVE-2019-2729)

No auth needed

Prerequisites: Target host and port · Listener host and port for callback · Metasploit or Cobalt Strike for payload generation

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 3 stars

by Luchoane · remote-auth

https://github.com/Luchoane/CVE-2019-2729_creal

View Code ZIP pw:eip

This repository contains a functional Python-based exploit for CVE-2019-2729, a deserialization vulnerability in Oracle WebLogic Server. The PoC supports single-target exploitation, batch scanning from a file, and interactive shell access, demonstrating remote code execution (RCE) capabilities.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Oracle WebLogic Server (versions affected by CVE-2019-2729)

No auth needed

Prerequisites: Network access to the target WebLogic Server · Python 3 environment

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 3 stars

by pizza-power · poc

https://github.com/pizza-power/weblogic-CVE-2019-2729-POC

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-2729, a WebLogic deserialization vulnerability. The exploit uses ysoserial to generate a malicious payload and crafts a SOAP request to trigger remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Oracle WebLogic Server

No auth needed

Prerequisites: Access to ysoserial.jar · Network access to the target WebLogic server

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

vulncheck_xdb SCANNER

remote

https://github.com/0xn0ne/weblogicScanner

View Code ZIP pw:eip

This repository contains a Python-based scanner for detecting multiple WebLogic vulnerabilities, including CVE-2019-2729. It performs checks for known CVEs but does not include functional exploit code for achieving RCE or other offensive actions.

Classification

Scanner 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Oracle WebLogic Server

No auth needed

Prerequisites: network access to target WebLogic server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

Oracle WebLogic Server Administration Console - Remote Code Execution

CRITICALby igibanez

References (7)

Core 7

Core References

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2020.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujul2020.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujan2020.html

Patch, Vendor Advisory x_refsource_misc

http://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html

Patch x_refsource_misc

http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/155886/Oracle-Weblogic-10.3.6.0.0-Remote-Command-Execution.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujul2021.html

Scores

CVSS v3 9.8

EPSS 0.9436

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2019-05-01

InTheWild.io 2019-06-15

Ransomware Use Confirmed

CWE

CWE-284

Status published

Products (19)

oracle/communications_diameter_signaling_router 8.0

oracle/communications_diameter_signaling_router 8.1

oracle/communications_diameter_signaling_router 8.2

oracle/communications_diameter_signaling_router 8.2.1

oracle/communications_network_integrity 7.3.2 - 7.3.6

oracle/hyperion_infrastructure_technology 11.1.2.4

oracle/hyperion_infrastructure_technology 11.2.5.0

oracle/identity_manager 11.1.2.3.0

oracle/identity_manager 12.2.1.3.0

oracle/peoplesoft_enterprise_peopletools 8.56

... and 9 more

Published Jun 19, 2019

Tracked Since Feb 18, 2026