Attackers Weaponize Critical Oracle WebLogic RCE CVE-2026-21962 Within Hours of Exploit Release
A CloudSEK honeypot study reveals that attackers began exploiting CVE-2026-21962, a critical Oracle WebLogic RCE vulnerability with a CVSS score of 10.0, on the same day public exploit code was released.
Attackers wasted no time weaponizing CVE-2026-21962, a critical remote code execution vulnerability in Oracle WebLogic Server with a CVSS score of 10.0, according to a new honeypot-based analysis by CloudSEK. The research, covering attack activity from January 22 to February 3, 2026, found that the first exploitation attempt occurred on the same day the exploit code was published, underscoring the speed at which threat actors operational threat actors adopt newly disclosed vulnerabilities.
The CloudSEK study, published on March 25, 2026, used a high-interaction honeypot designed to replicate a real Oracle WebLogic Server environment. Researchers recorded widespread automated scanning and exploitation attempts targeting CVE-2026-21962, which allows unauthenticated remote code execution. The vulnerability affects multiple versions of Oracle WebLogic Server and was patched by Oracle in its January 2026 Critical Patch Update.
Beyond the new flaw, the honeypot also captured ongoing exploitation attempts targeting older but still widely abused WebLogic vulnerabilities, including CVE-2020-14882/14883 (console RCE), CVE-2020-2551 (IIOP deserialization RCE), and CVE-2017-10271 (WLS-WSAT deserialization RCE). This pattern shows that attackers continue to rely on a small number of well-known vulnerabilities that remain effective against unpatched systems.
CloudSEK confirmed that most of the observed attacks originated from rented virtual private servers hosted by common cloud providers. Activity was dominated by automated scanning tools, including libredtail-http and the Nmap Scripting Engine. The honeypot also captured numerous non-WebLogic attacks, including command injection, path traversal attempts, and reconnaissance, and generic web probing—967 requests from 78 unique IP addresses over the 12-day period.
The report concluded that organizations running Oracle WebLogic servers should prioritize patching and defensive controls immediately. Key recommendations include applying the latest Oracle security patches, restricting administrative console access from the internet, disabling unnecessary protocols and ports, deploying web application firewall filtering, and monitoring logs for suspicious activity.
"The data underscores the critical and immediate need for organizations to prioritize the patching of CVE-2026-21962 and implement robust layered defenses," CloudSEK warned, "including strict access control for the administrative console and WAF filtering, to mitigate the severe RCE risk posed by these unauthenticated exploits."
This rapid weaponization of a critical vulnerability highlights the ongoing challenge of defending internet-exposed enterprise infrastructure. With Oracle WebLogic Server widely deployed in large organizations, the window for patching before active exploitation begins continues to shrink, making proactive vulnerability management and layered security controls more essential than ever.