The company said in a blog post it had observed a marked rise in the number of devices scanning this port.
It said analysis had shown that this was aimed at the Oracle WebLogic WLS-WSAT vulnerability that allows the execution of arbitrary code on unpatched servers.
The vulnerability was exploited in a manner similar to the way one in Apache's CouchDB was exploited in February, and thus it was possible that the same group was targeting WebLogic now.
Oracle issued a patch for the flaw in October 2017.
Researcher Hubert Lin said only 155 scans had been noticed between 8 and 26 April, but the number had grown to 2640 between 27 April and 9 May, mostly from IP addresses that were based in China and Russia.