Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
Oracle WebLogic Server systems faced a rapid CVE-2026-21962 exploitation wave after public exploit code appeared, creating immediate RCE risk for exposed servers. The activity expanded into automated scanning and repeated probing across multiple IPs, and attackers also continued testing older WebLogic flaws. The pattern shows how quickly newly released exploit code can turn a single flaw into broad internet-wide targeting.
Related Happenings
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/Mitigation
H score35
First: 15.06.2026 09:17
Last: 15.06.2026 09:17
Sources 1
About this happening:
Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/MitigationAbout this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...
ShinyHunters Oracle PeopleSoft data theft from 300 instances
Data Leak
H score46
First: 11.06.2026 22:39
Last: 11.06.2026 22:39
Sources 1
About this happening:
The **ShinyHunters** data-leak event against **Oracle PeopleSoft** instances exposed data from **300 instances** across **100+ organizations**, expanding the risk of theft-driven...
ShinyHunters Oracle PeopleSoft data theft from 300 instances
Data LeakAbout this happening: The **ShinyHunters** data-leak event against **Oracle PeopleSoft** instances exposed data from **300 instances** across **100+ organizations**, expanding the risk of theft-driven...
Magento exploitation wave for CVE-2026-45247
Exploitation Wave
H score9
First: 04.06.2026 10:19
Last: 04.06.2026 10:19
Sources 1
About this happening:
Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...
Magento exploitation wave for CVE-2026-45247
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...
Oracle WebLogic Server unauthenticated remote compromise flaw (CVE-2024-21182)
Vulnerability
H score59
First: 02.06.2026 15:40
Last: 02.06.2026 15:40
Sources 1
About this happening:
**CVE-2024-21182** in **Oracle WebLogic Server** is **actively exploited** and can let a **network-access attacker** achieve **unauthenticated remote compromise**. The flaw affect...
Oracle WebLogic Server unauthenticated remote compromise flaw (CVE-2024-21182)
VulnerabilityAbout this happening: **CVE-2024-21182** in **Oracle WebLogic Server** is **actively exploited** and can let a **network-access attacker** achieve **unauthenticated remote compromise**. The flaw affect...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation Wave
H score46
First: 17.05.2026 14:57
Last: 17.05.2026 14:57
Sources 1
About this happening:
**openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation WaveAbout this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
Timeline
-
26.03.2026 18:00 1 articles · 3mo ago
CVE-2026-21962 exploitation begins on Oracle WebLogic Server
Exploitation ObservedAttackers began exploiting CVE-2026-21962 against Oracle WebLogic Server on January 22, 2026, the same day public exploit code was published. The first observed attempt targeted internet-exposed servers and marked the start of rapid weaponization of the unauthenticated Oracle WebLogic RCE flaw.
Show sources
- Attackers Rapidly Weaponize Critical Oracle WebLogic RCE, Honeypot Study Finds — www.infosecurity-magazine.com — 26.03.2026 18:00
-
26.03.2026 18:00 2 articles · 3mo ago
CloudSEK publishes honeypot analysis of rapid exploitation
Initial DisclosureCloudSEK published a honeypot analysis on March 26, 2026 covering attack activity between January 22 and February 3, 2026. The study reported widespread automated scanning and exploitation of Oracle WebLogic Server systems, continued abuse of CVE-2020-14882/14883, CVE-2020-2551, and CVE-2017-10271, activity from rented virtual private servers, and dominant use of libredtail-http and the Nmap Scripting Engine. It recommended immediate Oracle security patches, restricted administrative console access, disabled unnecessary protocols and ports, WAF filtering, and log monitoring.
Show sources
- Attackers Rapidly Weaponize Critical Oracle WebLogic RCE, Honeypot Study Finds — www.infosecurity-magazine.com — 26.03.2026 18:00
- Attackers Rapidly Weaponize Critical Oracle WebLogic RCE, Honeypot Study Finds — www.infosecurity-magazine.com — 26.03.2026 18:00