Find notable cyber news and cases, enriched with sources, timelines, and signals.

Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 59
1 unique sources, 1 articles

Summary

Hide ▲

Oracle WebLogic Server systems faced a rapid CVE-2026-21962 exploitation wave after public exploit code appeared, creating immediate RCE risk for exposed servers. The activity expanded into automated scanning and repeated probing across multiple IPs, and attackers also continued testing older WebLogic flaws. The pattern shows how quickly newly released exploit code can turn a single flaw into broad internet-wide targeting.

Related Happenings

Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257

Advisory/Mitigation
H score35 First: 15.06.2026 09:17 Last: 15.06.2026 09:17 Sources 1

About this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...

ShinyHunters Oracle PeopleSoft data theft from 300 instances

Data Leak
H score46 First: 11.06.2026 22:39 Last: 11.06.2026 22:39 Sources 1

About this happening: The **ShinyHunters** data-leak event against **Oracle PeopleSoft** instances exposed data from **300 instances** across **100+ organizations**, expanding the risk of theft-driven...

Magento exploitation wave for CVE-2026-45247

Exploitation Wave
H score9 First: 04.06.2026 10:19 Last: 04.06.2026 10:19 Sources 1

About this happening: Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...

Oracle WebLogic Server unauthenticated remote compromise flaw (CVE-2024-21182)

Vulnerability
H score59 First: 02.06.2026 15:40 Last: 02.06.2026 15:40 Sources 1

About this happening: **CVE-2024-21182** in **Oracle WebLogic Server** is **actively exploited** and can let a **network-access attacker** achieve **unauthenticated remote compromise**. The flaw affect...

OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)

Exploitation Wave
H score46 First: 17.05.2026 14:57 Last: 17.05.2026 14:57 Sources 1

About this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...

Timeline

  1. 26.03.2026 18:00 1 articles · 3mo ago

    CVE-2026-21962 exploitation begins on Oracle WebLogic Server

    Exploitation Observed

    Attackers began exploiting CVE-2026-21962 against Oracle WebLogic Server on January 22, 2026, the same day public exploit code was published. The first observed attempt targeted internet-exposed servers and marked the start of rapid weaponization of the unauthenticated Oracle WebLogic RCE flaw.

    Show sources
  2. 26.03.2026 18:00 2 articles · 3mo ago

    CloudSEK publishes honeypot analysis of rapid exploitation

    Initial Disclosure

    CloudSEK published a honeypot analysis on March 26, 2026 covering attack activity between January 22 and February 3, 2026. The study reported widespread automated scanning and exploitation of Oracle WebLogic Server systems, continued abuse of CVE-2020-14882/14883, CVE-2020-2551, and CVE-2017-10271, activity from rented virtual private servers, and dominant use of libredtail-http and the Nmap Scripting Engine. It recommended immediate Oracle security patches, restricted administrative console access, disabled unnecessary protocols and ports, WAF filtering, and log monitoring.

    Show sources