Known Actively Exploited Vulnerabilities Round-up (31.05.24-06.06.24)

This article covers recent vulnerabilities found to be actively exploited. They are categorised based not only on the category of exploitation, but their impact, and versions affected. This article also informs on any official fix and remediation guidance for the listed vulnerabilities.



Category: Malware (Trojan Or Embedded Malicious Code)


Versions Affected:

  • Justice AV Solutions Viewer v8.3.7.250-1


Vulnerability Summary:

Justice AV Solutions Viewer version contains a malicious binary in the setup installer file. The malware was hosted for download on the official website of JAVS in the file JAVS Viewer Setup When extracted, a malicious trojan file named fffmpeg.exe is created within the file path C:\Program Files (x86)\JAVS\Viewer 8\ on the Windows operating system.

This binary contains encoded PowerShell scripts which are then executed. Upon execution, fffmpeg.exe persistently communicates with a command-and-control (C2 or C&C) server using Windows sockets and WinHTTP requests. The malware appears to be based on the so-called ‘RustDoor’, a Windows-specific version of the original ‘GateDoor’ malware for macOS.


Official Fix & Remediation Guidance:

  • Completely re-image affected endpoints. Uninstalling the software is insufficient. Deleting the malicious binary files is insufficient. Attackers may have implanted additional backdoors or malware. Re-imaging to a completely clean OS install provides a clean slate.
  • Reset credentials for any accounts that were logged into affected endpoints. This includes local accounts on the endpoint itself as well as any remote accounts accessed during the period when JAVS Viewer 8.3.7 was installed. Attackers may have stolen credentials from compromised systems.


Users should install the latest version of JAVS Viewer (8.3.8 or higher) ONLY after re-imaging affected systems from bare metal. The download is available at




Category: Command Injection


Versions Affected:

Supported versions that are affected are,,, and


Vulnerability Summary:

An OS command injection vulnerability exists in the Oracle WebLogic Server component of Oracle Fusion Middleware. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

The application fails to properly sanitise XML content sent to Web Services Atomic Transactions feature (WSAT) endpoints under /wls/wsat, such as /wls-wsat/RegistrationRequesterPortType. Malicious input passed to the XMLDecoder constructor and read functions within the WorkContextXmlInputAdapter class result in the deserialization of an arbitrary Java serialized object.

Possible entry points include at least the below:

  • wls-wsat/RegistrationPortTypeRPC
  • wls-wsat/ParticipantPortType
  • wls-wsat/RegistrationRequesterPortType
  • wls-wsat/CoordinatorPortType11
  • wls-wsat/RegistrationPortTypeRPC11
  • wls-wsat/ParticipantPortType11
  • wls-wsat/RegistrationRequesterPortType11



Official Fix & Remediation Guidance:

Oracle released a Critical Patch Update that fixes this issue. Customers are advised to upgrade to the latest version of the impacted product. Oracle customers can access the patch by logging in at

NOTE: The initial vendor patch for this CVE is incomplete or only partially effective; ensure to also patch against linked vulnerability CVE-2017-10271.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.


About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses

Get in touch

Please enable JavaScript in your browser to complete this form.