Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Oracle WebLogic actively exploited unauthenticated RCE flaw (CVE-2026-21962)

Vulnerability
First reported
Last updated
Happening score
H score 54
1 unique sources, 1 articles

Summary

Hide ▲

Oracle WebLogic's CVE-2026-21962 was being actively exploited almost immediately after public exploit code appeared, creating a CVSS 10.0 unauthenticated RCE risk for internet-facing servers. The first exploitation attempt was seen on January 22, 2026, the same day the exploit was released, and additional probing followed against exposed systems. Defenders were urged to patch immediately and harden administrative access and filtering.

Related Happenings

CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)

Exploitation Wave
First: 04.05.2026 11:25 Last: 04.05.2026 11:25 Sources 1

About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...

Open Happening

Marimo CVE-2026-39987 exploitation wave

Exploitation Wave
First: 12.04.2026 17:20 Last: 12.04.2026 17:20 Sources 1

About this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...

Open Happening

Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave

Exploitation Wave
First: 26.03.2026 18:00 Last: 26.03.2026 18:00 Sources 1

How related: Logs showed the first exploitation attempt occurred on January 22, the same day the exploit code was published. Additional scanning activity appeared days later as more attackers began probing internet-exposed servers.

About this happening: **Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...

Open Happening

Langflow CVE-2026-33017 exploitation wave

Exploitation Wave
First: 20.03.2026 12:20 Last: 20.03.2026 12:20 Sources 1

About this happening: **CVE-2026-33017** in **Langflow** is being exploited in a fast-moving **early wave** that surfaced within **20 hours** of the advisory, putting exposed instances at immediate ris...

Open Happening

CISA KEV mitigation for BeyondTrust CVE-2026-1731

Advisory/Mitigation
First: 20.02.2026 19:02 Last: 20.02.2026 19:02 Sources 1

About this happening: CISA ordered urgent **KEV** mitigation for **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access**, forcing affected federal deployments to **apply th...

Open Happening

Timeline

  1. 26.03.2026 18:00 2 articles · 2mo ago

    Oracle WebLogic CVE-2026-21962 exploitation begins

    Exploitation Observed

    Attackers began exploiting Oracle WebLogic CVE-2026-21962 on January 22, 2026, the same day public exploit code was published. Honeypot logs captured the first exploitation attempt against exposed Oracle WebLogic Server instances, alongside automated scanning activity.

    Show sources
    Open in new tab
  2. 25.03.2026 02:00 1 articles · 2mo ago

    Oracle WebLogic CVE-2026-21962 analysis and mitigation guidance

    Technical Analysis Update

    A honeypot analysis of Oracle WebLogic Server activity was published on March 25, 2026, documenting widespread automated scanning and exploitation attempts against CVE-2026-21962 and continued abuse of CVE-2020-14882/14883, CVE-2020-2551, and CVE-2017-10271. The publication urged immediate patching, strict administrative console access controls, disabling unnecessary protocols and ports, WAF filtering, and log monitoring.

    Show sources
    Open in new tab