For more than a week hackers have started scanning the Internet, searching for machines running Oracle WebLogic servers.

Scans started after April 17, when Oracle published its quarterly Critical Patch Update (CPU) security advisory.

The April 2018 CPU contained a patch for CVE-2018-2628, a vulnerability in the WLS core component of WebLogic, a Java EE application server.

This security issue received a severity score of 9.8 out of 10 because it could allow attackers to execute code on remote WebLogic servers without needing to authenticate.

PoC published online last week

The flaw was discovered and reported by Liao Xinxi of NSFOCUS Security Team and an independent security researcher named loopx9.

A day after the Oracle patches, Xinxi published a blog post on a Chinese social network, explaining how the vulnerability works. Leveraging this info, a user named Brianwrf created and released proof-of-concept (PoC) code on GitHub that could exploit this flaw.

The publishing of a fully-weaponized PoC led to an immediate spike in scans for port 7001, the port running the vulnerable WebLogic "T3" service.

GreyNoise has observed a large spike in devices scanning the Internet for TCP port 7001 beginning last week on 4/16/18. This activity corresponds directly with the disclosure (4/18/2018) and weaponization (4/18/18) of Oracle WebLogic CVE-2018-2628. Ref: https://t.co/3qdeQSF59T — GreyNoise Intelligence (@GreyNoiseIO) April 24, 2018

Cyber-security firm GreyNoise, the one who first spotted the port 7001 scan spike, said at the time that "opportunistic exploitation has not yet been confirmed," meaning crooks were only scanning the web to look for vulnerable machines, merely to assess the total pool of exploitable machines.

We have asked the GreyNoise team to keep Bleeping Computer informed of the first signs of hackers moving in to capitalize this flaw for actual intrusions.

But while we have not heard back from GreyNoise during the past week, things got worse over the weekend, but for different reasons.

Oracle CVE-2018-2628 patch is incomplete

According to an Alibaba Cloud engineer, Oracle appears to have botched the CVE-2018-2628 patch, and there's a way to bypass the April 2018 patch and exploit the flaw even on supposedly patched WebLogic systems.

#CVE-2018-2628 Weblogic Server Deserialization Remote Command Execution. Unfortunately the Critical Patch Update of 2018.4 can be bypassed easily. pic.twitter.com/Vji19uv4zj — pyn3rd (@pyn3rd) April 28, 2018

According to infosec sleuth Kevin Beaumont, this is because Oracle didn't fix the WebLogic issue at its core, but just blacklisted the commands used for the exploitation chain. The problem, according to Beaumont, is that Oracle engineers appear to have missed one or more commands.

This is going to keep being an evergreen tweet. It looks like Oracle isn’t even fixing the issues here, they’re just blacklisting commands. In this case they missed the very next command. https://t.co/i0FZfeHtEN — Kevin Beaumont (@GossiTheDog) April 29, 2018

For now, Beaumont is recommending that companies block incoming connections on port 7001 until Oracle issues another —hopefully working— CVE-2018-2628 patch. Admins should heed Beaumont's advice since hackers are expected to ramp up scans and even move to active exploitation after the news of Oracle incomplete patch spreads around.