Several security companies have detected scans looking for Oracle WebLogic servers vulnerable to a flaw that hasn’t yet been patched. The vulnerability is a deserialization bug that can lead to remote code execution. It’s located in a specific package called wls9_async_response that’s not included by default in all Weblogic server builds. Oracle hasn’t publicly confirmed the issue and it’s not clear if the company plans to issue an out-of-band fix for this flaw.”]