Oracle WebLogic Servers Face Immediate Exploitation of Critical RCE Vulnerabilities
Take action: If you're running Oracle WebLogic Server, patch immediately. CVE-2026-21962 is being exploited in the wild on the same day exploit code dropped, and attackers are also chaining older flaws like CVE-2020-14882 and CVE-2017-10271 that still work on unpatched systems. Restrict WebLogic admin console access to internal networks or VPN only, disable protocols you don't need (IIOP, T3), and prioritize getting those patches applied today. These attacks are fully automated, require no login, and give attackers complete control of your server.
Learn More
Researchers at CloudSEK warn of immediate exploitation of a critical remote code execution (RCE) vulnerability Oracle WebLogic Server. A study by CloudSEK using high-interaction honeypots revealed that attackers weaponized CVE-2026-21962 (CVSS score 10.0) on the same day public exploit code appeared on GitHub. The 12-day analysis from January 22 to February 3, 2026, showed a surge in automated scanning and exploitation attempts targeting both new and legacy flaws across the Oracle ecosystem.
Vulnerabilities attempted in the exploit attacks:
- CVE-2026-21962 (CVSS score 10.0) — A critical unauthenticated remote code execution vulnerability in the Oracle WebLogic Server Console caused by improper input validation. Attackers use specially crafted HTTP GET requests to the ProxyServlet component to run arbitrary operating system commands. This flaw allows full system takeover without any prior credentials.
- CVE-2020-14882 (CVSS score 9.8) and CVE-2020-14883 (CVSS score 9.8) — A pair of vulnerabilities in the administrative console that allow authentication bypass and subsequent remote code execution. Attackers exploit these by sending URL-encoded path traversal requests to the console images endpoint to execute code. This remains a highly favored target due to its simplicity and effectiveness against unpatched systems.
- CVE-2020-2551 (CVSS score 9.8) — A critical deserialization flaw in the IIOP (Internet Inter-ORB Protocol) component of WebLogic Server. The vulnerability allows unauthenticated attackers to send malicious serialized Java objects that trigger a gadget chain to run code. Probing attempts often use path traversal to reach the JNDI console and inject payloads via the MVEL interpreter.
- CVE-2017-10271 (CVSS score 9.8) — A legacy deserialization vulnerability in the WLS-WSAT (Web Services Atomic Transactions) protocol endpoint. Attackers send malicious XML payloads to the CoordinatorPortType endpoint, which triggers unsafe object deserialization via the XMLDecoder. Despite its age, it is still widely used in mass-scanning campaigns to deploy backdoors or malware.
The exploitation activity is largely automated, utilizing tools like libredtail-http and the Nmap Scripting Engine to identify vulnerable instances. Attackers primarily use rented Virtual Private Servers (VPS) from providers such as DigitalOcean, Vultr, and HOSTGLOBAL.PLUS to mask their identity and scale their operations. Beyond WebLogic-specific attacks, the honeypot recorded significant activity including generic web reconnaissance, shell command injections, and attempts to exploit flaws in Hikvision and PHPUnit.
Organizations running internet-exposed WebLogic instances are at the highest risk, as the exploits require no user interaction or authentication to achieve full system compromise.
Oracle customers must prioritize applying the latest security patches immediately to address these RCE risks. Administrators should restrict administrative console access to internal networks or VPNs and disable unnecessary protocols like IIOP and T3 if they are not required for business operations.
