Zero Day Initiative — Details on the Oracle WebLogic Vulnerability Being Exploited in the Wild

Earlier this year, I blogged about a deserialization vulnerability in the Oracle WebLogic Server. This was patched by Oracle and assigned CVE-2020-2555. However, researcher Quynh Le of VNPT ISC submitted a bug to the ZDI that showed how the patch could be bypassed. This bug, labeled CVE-2020-2883