This is bad:

Then today, a new oracle webLogic deserialization RCE 0day vulnerability was found and is being actively used in the wild.We analyzed and reproduced the 0day vulnerability, which is based on and bypasses the patch for CVE-2019–2725 .

Two thoughts:

1. Deserialization in "safe" languages is a never ending source of vulns. You give an attacker the equivalent of eval, they're gonna eval some shit.

2. After fixing a vulnerability, everybody is gonna examine that code under a microscope. Anything first patch missed... bad news.

https://medium.com/@knownsec404team/knownsec-404-team-alert-again-cve-2019-2725-patch-bypassed-32a6a7b7ca15