Observed immediate exploitation of Oracle WebLogic CVE-2026-21962 via automated campaigns
Summary
Hide ▲
Show ▼
A critical Oracle WebLogic remote code execution (RCE) vulnerability, tracked as CVE-2026-21962 with CVSS score 10.0, underwent rapid weaponization within hours of public exploit code release in January 2026. Automated scanning and exploitation campaigns leveraging the flaw were detected targeting internet-exposed WebLogic servers globally, with the first exploitation attempt recorded on January 22, 2026—the same day exploit code was published. Threat actors predominantly utilized rented virtual private servers from mainstream cloud providers to conduct attacks. The observed activity underscores the immediate operational risk posed by newly disclosed high-severity WebLogic vulnerabilities and highlights continued reliance on long-standing, known-vulnerable endpoints for mass exploitation.
Timeline
-
26.03.2026 18:00 1 articles · 3h ago
CVE-2026-21962 exploitation campaigns launched immediately after public exploit release
Automated exploitation campaigns targeting CVE-2026-21962 were detected within hours of public exploit release on January 22, 2026. Attackers leveraged cloud-hosted infrastructure and automated tools to scan and compromise internet-exposed Oracle WebLogic servers globally.
Show sources
- Attackers Rapidly Weaponize Critical Oracle WebLogic RCE, Honeypot Study Finds — www.infosecurity-magazine.com — 26.03.2026 18:00
Information Snippets
-
CVE-2026-21962 is a remote code execution (RCE) vulnerability in Oracle WebLogic Server with CVSS base score 10.0.
First reported: 26.03.2026 18:001 source, 1 articleShow sources
- Attackers Rapidly Weaponize Critical Oracle WebLogic RCE, Honeypot Study Finds — www.infosecurity-magazine.com — 26.03.2026 18:00
-
Exploitation of CVE-2026-21962 began on January 22, 2026, the same day public exploit code was released.
First reported: 26.03.2026 18:001 source, 1 articleShow sources
- Attackers Rapidly Weaponize Critical Oracle WebLogic RCE, Honeypot Study Finds — www.infosecurity-magazine.com — 26.03.2026 18:00
-
Attack infrastructure predominantly utilized rented virtual private servers hosted by common cloud providers.
First reported: 26.03.2026 18:001 source, 1 articleShow sources
- Attackers Rapidly Weaponize Critical Oracle WebLogic RCE, Honeypot Study Finds — www.infosecurity-magazine.com — 26.03.2026 18:00
-
Automated scanning tools such as libredtail-http and Nmap Scripting Engine were used in observed campaigns.
First reported: 26.03.2026 18:001 source, 1 articleShow sources
- Attackers Rapidly Weaponize Critical Oracle WebLogic RCE, Honeypot Study Finds — www.infosecurity-magazine.com — 26.03.2026 18:00
-
Campaigns also targeted older WebLogic vulnerabilities including CVE-2020-14882/14883, CVE-2020-2551, and CVE-2017-10271.
First reported: 26.03.2026 18:001 source, 1 articleShow sources
- Attackers Rapidly Weaponize Critical Oracle WebLogic RCE, Honeypot Study Finds — www.infosecurity-magazine.com — 26.03.2026 18:00
-
During a 12-day monitoring period (January 22–February 3, 2026), honeypot logs recorded 967 generic web reconnaissance requests from 78 unique IP addresses.
First reported: 26.03.2026 18:001 source, 1 articleShow sources
- Attackers Rapidly Weaponize Critical Oracle WebLogic RCE, Honeypot Study Finds — www.infosecurity-magazine.com — 26.03.2026 18:00