On August 14, 2025, Lotte Cardโs online payment server in South Korea was compromised, leading to large-scale data exfiltration attempts. The attack persisted for two days, with signs that at least 1.7GB of internal data was about to be extracted. The critical issue was delayed detection. Malicious code and a web shell were only discovered on August 26 during server inspections, and the incident was not reported to financial authorities until September 1. This delay highlights the serious shortcomings of detection and incident response in existing security systems.
The primary vector was theย CVE-2017-10271 Remote Code Execution (RCE) vulnerabilityย in Oracle WebLogic Serverโa flaw that has been patched for years but is still actively exploited in critical financial infrastructure.
CVE-2017-10271: The Lingering Threat of an Old Vulnerability
The flaw arises from WebLogicโs WorkContextXmlInputAdapter class, which processes external XML input through XMLDecoderย without proper validation.
- Affected Versions:ย Oracle WebLogic Server 10.3.6.0, 12.1.3.0, and others
- Attack Complexity:ย Low (public PoCs and exploit guides widely available)
- Impact: Remote command execution, data exfiltration, lateral network movement
The availability of ready-to-use exploit code on GitHub and in security forums means attackers can automate exploitation with minimal effort.
Exploit Pathways and Attack Methods
According to an analysis published on theย CSDN blog, attackers can identify vulnerable URL endpoints such asย /wls-wsat/CoordinatorPortTypeย and inject malicious payloads into SOAP/XML requests to execute remote commands. They then establish a reverse shell connection to a Kali listener and upload a JSP web shell toย /bea_wls_internal/shell.jsp, enabling full remote control of the server. While the process is relatively straightforward, a successful attack would allow adversaries to completely compromise the server.
/wls-wsat/CoordinatorPortTypeย endpoint โ a potential entry point for attackers.In real-world environments, theย /wls-wsat/CoordinatorPortTypeย endpoint may expose service details (WSDL and implementation class) as shown below, which attackers can directly exploit as an entry point.
Detecting Vulnerable Assets with Criminal IP Asset Search
By using the cve_id filter in Criminal IP Asset Search, servers vulnerable to CVE-2017-10271 can be identified. The search results allow verification of the vulnerability through actual responses, and in the case of vulnerable servers, a SOAP-based error message is returned. This is also information that attackers can easily leverage for scanning.
Criminal IP Search Query:ย cve_id: CVE-2017-10271
As of September 9, 2025, a total of 178,738 vulnerable servers were identified, with most IP addresses critically exposed to inbound attacks. This highlights that countless internet-facing servers remain unpatched, allowing attackers to easily discover potential targets through simple scanning. In other words, even outdated vulnerabilities, if left unaddressed, continue to expand the attack surface and pose serious risks to organizational security.
Key Takeaways and Mitigation Strategies
The Lotte Card case demonstrates that โold vulnerabilities remain dangerous when left unpatched.โ
Security teams should prioritize the following measures:
- Apply the latest security patches: Immediately apply Oracleโs security updates.
- Disable unnecessary services: Block unused endpoints such as
/wls-wsat. - Strengthen firewall rules: Restrict access to WebLogic admin ports.
- Automate vulnerability management: Use attack surface management tools like Criminal IP ASM.
- Deploy real-time monitoring: Adopt EDR/XDR to detect web shells and abnormal behavior.
FAQ โ Frequently Asked Questions
Q1. When was CVE-2017-10271 discovered, and why is it still dangerous?
This vulnerability was disclosed in 2017, and Oracle immediately released a patch. However, in environments running legacy systemsโsuch as financial institutionsโpatches are often delayed due to upgrade risks or compatibility issues. This demonstrates that even โoldโ CVEs remain exploitable if left unpatched.
Q2. How did attackers infiltrate the Lotte Card system?
The attackers exploited CVE-2017-10271 in Oracle WebLogic, injecting malicious payloads into SOAP/XML interfaces such as /wls-wsat/CoordinatorPortType. Because the server processed these requests without validation, remote commands were executed, a web shell was uploaded, and attempts at internal data exfiltration followed.
Conclusion
The Lotte Card breach was not just an isolated eventโit was the result of delayed patching, detection gaps, and weak security governance. CVE-2017-10271 remains widely known, with public PoCs readily available, making it trivial for attackers to exploit even critical financial systems. Organizations must adopt a threat intelligenceโdriven attack surface management approach as a core component of their security strategy. Continuous detection and monitoring of vulnerable assets using Criminal IP Asset Search provide one of the most practical defenses against incidents like this.
In relation to this, you can refer to Oracle WebLogic Server Vulnerability CVE-2020-2883: A 5-Year Threat to Server Control.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up forย a free Criminal IP accountย today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Sources: Criminal IP (https://www.criminalip.io/), DailySecu (https://www.dailysecu.com/news/articleView.html?idxno=169283), Boan News (https://www.boannews.com/media/view.asp?idx=139047&kind=&sub_kind=), CSDN Blog (https://blog.csdn.net/weixin_65722679/article/details/131388033), Alert Logic (https://www.alertlogic.com/blog/beware-the-weblogic-wls-wsat-component-deserialization-rce-exploit-d94/)
Related Article: https://www.criminalip.io/knowledge-hub/blog/24560