Active WebLogic RCE exploits
Attackers are actively exploiting critical Oracle WebLogic remote code‑execution vulnerabilities, creating a heightened cyber risk for any firm that stores employee or resident data online. That makes security training and patching critical as HR systems and onboarding portals scale across states. (gbhackers.com)
A CloudSEK honeypot study recorded automated exploitation attempts against the critical WebLogic flaw tracked as CVE-2026-21962 beginning the same day public exploit code appeared, based on a 12‑day dataset collected Jan. 22–Feb. 3, 2026. (cloudsek.com) CVE-2026-21962 carries a maximum CVSS score of 10.0 and impacts the Oracle HTTP Server and the WebLogic Server Proxy Plug‑in for Apache and IIS, with affected versions listed as 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. (tenable.com) Public technical writeups and advisories describe the exploit as a combination of a path‑normalization bypass (..;) and unsafe header parsing — notably WL‑Proxy‑Client‑IP — that permits unauthenticated attackers to bypass access controls and execute arbitrary operating‑system commands on backend servers. (gist.github.com) Researchers observed attackers rapidly shifting from scanning to exploitation and reusing cloud/VPS infrastructure to obscure origins, while simultaneous probes targeted legacy WebLogic bugs such as CVE‑2020‑14882/CVE‑2020‑14883 and CVE‑2020‑2551. (cloudsek.com) Oracle published a January 2026 Critical Patch Update that includes a fix for the proxy plug‑in RCE and subsequently issued an out‑of‑band Security Alert on March 20, 2026 to address a separate critical Fusion Middleware RCE tracked as CVE‑2026‑21992. (oracle.com) Security firms advising enterprise defenders list immediate actions as applying the January 2026 CPU patches, isolating or firewalling exposed proxy/plugin components from direct internet access, and enabling focused log‑monitoring and IDS signatures to detect probe and exploitation patterns. (netspi.com)
