Oracle patched a critical Java RMI Deserialization vulnerability in WebLogic server earlier this month (CPU April 2018). It was assigned CVE-2018-2628. However,  as @pyn3rd tweeted this morning, it turns out that it was a blacklist based incomplete fix that could be bypassed easily. #CVE-2018-2628 Weblogic Server Deserialization Remote Command Execution. Unfortunately the Critical Patch Update of 2018.4 […]