Find notable cyber news and cases, enriched with sources, timelines, and signals.

Oracle WebLogic actively exploited unauthenticated RCE flaw (CVE-2026-21962)

Vulnerability
First reported
Last updated
Happening score
H score 59
1 unique sources, 1 articles

Summary

Hide ▲

Oracle WebLogic's CVE-2026-21962 was being actively exploited almost immediately after public exploit code appeared, creating a CVSS 10.0 unauthenticated RCE risk for internet-facing servers. The first exploitation attempt was seen on January 22, 2026, the same day the exploit was released, and additional probing followed against exposed systems. Defenders were urged to patch immediately and harden administrative access and filtering.

Related Happenings

Oracle WebLogic Server unauthenticated remote compromise flaw (CVE-2024-21182)

Vulnerability
H score59 First: 02.06.2026 15:40 Last: 02.06.2026 15:40 Sources 1

About this happening: **CVE-2024-21182** in **Oracle WebLogic Server** is **actively exploited** and can let a **network-access attacker** achieve **unauthenticated remote compromise**. The flaw affect...

CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)

Exploitation Wave
H score89 First: 04.05.2026 11:25 Last: 04.05.2026 11:25 Sources 1

About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...

Marimo CVE-2026-39987 exploitation wave

Exploitation Wave
H score51 First: 12.04.2026 17:20 Last: 12.04.2026 17:20 Sources 1

About this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...

Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave

Exploitation Wave
H score59 First: 26.03.2026 18:00 Last: 26.03.2026 18:00 Sources 1

How related: Logs showed the first exploitation attempt occurred on January 22, the same day the exploit code was published. Additional scanning activity appeared days later as more attackers began probing internet-exposed servers.

About this happening: **Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...

Langflow CVE-2026-33017 exploitation wave

Exploitation Wave
H score50 First: 20.03.2026 12:20 Last: 20.03.2026 12:20 Sources 1

About this happening: **CVE-2026-33017** in **Langflow** is being exploited in a **wider exploitation wave** that now includes **Monero miner** delivery against **exposed AI application endpoints**. Th...

Timeline

  1. 26.03.2026 18:00 2 articles · 3mo ago

    Oracle WebLogic CVE-2026-21962 exploitation begins

    Exploitation Observed

    Attackers began exploiting Oracle WebLogic CVE-2026-21962 on January 22, 2026, the same day public exploit code was published. Honeypot logs captured the first exploitation attempt against exposed Oracle WebLogic Server instances, alongside automated scanning activity.

    Show sources
  2. 25.03.2026 02:00 1 articles · 3mo ago

    Oracle WebLogic CVE-2026-21962 analysis and mitigation guidance

    Technical Analysis Update

    A honeypot analysis of Oracle WebLogic Server activity was published on March 25, 2026, documenting widespread automated scanning and exploitation attempts against CVE-2026-21962 and continued abuse of CVE-2020-14882/14883, CVE-2020-2551, and CVE-2017-10271. The publication urged immediate patching, strict administrative console access controls, disabling unnecessary protocols and ports, WAF filtering, and log monitoring.

    Show sources