Executive Summary

This report analyzes attack data collected from a high-interaction honeypot simulating a vulnerable Oracle WebLogic Server (v14.1.1.0.0) over a 12-day period (Jan 22 - Feb 3, 2026). The primary focus is the immediate and widespread exploitation of the newly disclosed, critical unauthenticated Remote Code Execution (RCE) vulnerability, CVE-2026-21962 (CVSS: 10.0). Attack attempts targeting this zero-day-like flaw were observed immediately following the public release of its exploit code, demonstrating the rapid weaponization of critical Oracle WebLogic vulnerabilities.

In addition to CVE-2026-21962, the honeypot captured attacks targeting other persistent, critical WebLogic RCE flaws, including CVE-2020-14882/14883 (Console RCE), CVE-2020-2551 (IIOP RCE), and CVE-2017-10271 (WLS-WSAT RCE). This confirms that threat actors continue to rely on a small set of highly-effective, simple-to-exploit vulnerabilities to compromise WebLogic environments.

Attackers predominantly utilized rented Virtual Private Servers (VPS) from common hosting providers like DigitalOcean and HOSTGLOBAL.PLUS. The overall activity was characterized by high-volume, automated scanning, with tools like libredtail-http and the Nmap Scripting Engine dominating the malicious traffic. Furthermore, the logs revealed significant background noise, including attempts to exploit non-WebLogic-specific vulnerabilities (e.g., Hikvision CVE, PHPUnit RCE, and generic command injections), indicating a broad "spray and pray" approach by threat actors. 

The data underscores the critical and immediate need for organizations to prioritize the patching of CVE-2026-21962 and implement robust layered defenses, including strict access control for the administrative console and WAF filtering, to mitigate the severe RCE risk posed by these unauthenticated exploits.

The Honeypot Setup

The data collection was performed using a high-interaction honeypot, meticulously designed to replicate a production Oracle WebLogic environment. The core of the setup featured a genuine, unpatched Oracle WebLogic Server (v14.1.1.0.0), intentionally.

All traffic is first routed through a reverse Nginx proxy, which acts as the primary data collection point. This proxy is configured to log every single request, including full headers, the request body, and other metadata. These logs are then shipped via Promtail to a centralized Loki instance for aggregation and storage.

This multi-layered approach ensures that all interactions are captured, from initial probes to full-blown exploit attempts, providing a rich dataset for analysis. The entire system is observable in real-time through Grafana dashboards, which visualize the logged data, and Prometheus, which provides alerting on suspicious activities.

Oracle CVEs Being Exploited in the Wild

Note: The analysis is based on data collected over a short 12-day period, specifically from January 22, 2026, to February 3, 2026.

CVE-2026-21962

Description

CVE-2026-21962 is a critical vulnerability affecting the Oracle WebLogic Server Console, allowing for unauthenticated Remote Code Execution (RCE). The vulnerability, which carries a maximum CVSS score of 10.0, is believed to stem from an improper input validation flaw within the console's web components, allowing a specially crafted HTTP request to execute arbitrary operating system commands on the vulnerable server. This flaw poses an immediate and severe risk, as successful exploitation requires no prior authentication and grants an attacker full control over the compromised WebLogic instance and its host system.

Attack Vectors

HTTP GET requests to 

• /_proxy//weblogic/..;/bea_wls_internal/ProxyServlet
• /wl_proxy//weblogic/..;/bea_wls_internal/ProxyServlet

Top Attackers

The public exploit for this CVE was released on 22 Jan on Github. Since then we saw the first exploitation attempt by ‘67.213.118.179’ on the 22nd Jan itself while the other attackers started scanning the internet on 27th Jan. This IP has been reported in multiple reports on AbuseIpdb. The attackers appear to have utilized rented Virtual Private Servers (VPS) for all the IP addresses observed.

This swift adoption by attackers highlights its attractiveness and the immediate need for patching. Organizations running unpatched Oracle WebLogic Server versions are critically exposed to this zero-day-like threat, which enables everything from data theft to the deployment of persistent backdoors and malware, all executed through a simple, unauthenticated web request.

CVE-2020-14882/14883

Description

This pair of critical vulnerabilities allows an unauthenticated attacker to achieve Remote Code Execution (RCE) on Oracle WebLogic Server instances through the administrative console. Specifically, CVE-2020-14882 allows bypassing authentication to access the console, and CVE-2020-14883 allows RCE once authentication is bypassed, typically via a path traversal vulnerability that abuses how the console handles certain URL-encoded paths. Exploitation is simple, requiring only a specially crafted HTTP POST request to the /console/images/%252e%252e%252fconsole.portal endpoint, making it a highly attractive target for threat actors seeking to compromise WebLogic servers globally

Attack Vectors

• HTTP POST request to the /console/images/%252e%252e%252fconsole.portal

Top Attackers

CVE-2020-2551

Description

This vulnerability, CVE-2020-2551, is a critical deserialization flaw affecting the Oracle WebLogic Server's IIOP (Internet Inter-ORB Protocol) component, allowing an unauthenticated, remote attacker to execute arbitrary code on the server. The flaw is rooted in the way the T3 and IIOP protocols handle serialized Java objects, enabling an attacker to send a specially crafted object that, upon deserialization, triggers a gadget chain leading to Remote Code Execution (RCE). Due to the nature of the IIOP protocol listener often being exposed, and the ability to exploit this without authentication, this vulnerability presents a severe risk, typically earning a CVSS score of 9.8 (Critical), and is a persistent and highly favored exploit path for threat actors targeting WebLogic environments.

Attack Vectors

GET request targeting the /console/css/../consolejndi.portal path, utilizing URL-encoded path traversal (%252e%252e%252f) and the test_handle query parameter to inject a malicious payload. The payload uses Coherence MVEL to achieve remote code execution, attempting to read a command from a cmd HTTP header and execute it via java.lang.ProcessBuilder for both Windows (cmd.exe /c) and Linux (/bin/sh -c) systems.

Top Attackers

We saw 67.211.213.61, (only one unique IP address) all attack attempts against this CVE.  The attacker sent specially crafted requests to the path /console/css/%2e%2e%2fconsolejndi.portal, which uses a path traversal trick to reach the WebLogic JNDI console endpoint. The request contains a payload that invokes com.tangosol.coherence.mvel2.sh.ShellSession, allowing execution of embedded Java code through the MVEL interpreter. This injected code attempts to read a cmd HTTP header from the request, execute it on the underlying operating system using /bin/sh -c on Linux or cmd.exe /c on Windows via ProcessBuilder, and return the command output in the HTTP response. 

In other words, the attacker was trying to create a remote command execution channel that would allow them to run arbitrary commands on the server by sending commands through HTTP headers. The same payload was sent four times from the IP 67.211.213.61, likely as part of an automated vulnerability scan checking both HTTP and HTTPS endpoints. Because the requests did not include a cmd header and the responses appear to be normal WebLogic console pages, the activity most likely represents a probing attempt to determine if the server was vulnerable rather than a successful exploitation.

CVE-2017-10271

Description 

This critical vulnerability is a deserialization flaw affecting the Oracle WebLogic Server's WLS Security component, specifically the WLS-WSAT (Web Services Atomic Transactions) protocol endpoint. The flaw allows an unauthenticated, remote attacker to execute arbitrary code on the server by sending a specially crafted XML request containing a malicious serialized Java object, typically through the /wls-wsat/CoordinatorPortType or similar endpoints. This bypasses Java deserialization filtering, leading to Remote Code Execution (RCE) with a CVSS score of 9.8 (Critical). Due to its age, simplicity, and unauthenticated nature, it remains a favorite target for mass scanning and exploitation by threat actors globally.

Attack Vectors

HTTP Post Request to:

• /wls-wsat/CoordinatorPortType

Top Attackers

We observed an exploitation attempt targeting CVE-2017-10271 from a single IP 162.211.230.179. The attacker sent POST requests to the endpoint /wls-wsat/CoordinatorPortType, which is part of the WebLogic WLS-WSAT (Web Services Atomic Transaction) component that processes SOAP/XML requests. This vulnerability allows attackers to send a specially crafted XML payload that triggers unsafe Java object deserialization, leading to remote code execution on the server without authentication. In typical exploitation, the malicious XML contains serialized Java objects that execute commands on the system when parsed by WebLogic’s XMLDecoder, allowing attackers to run shell commands, download malware, or deploy backdoors. The requests in the logs had the Content-Type: text/xml header and relatively large payload sizes (around 1 KB), which is consistent with known exploit payloads for this vulnerability.

Non Oracle Related Attacks

Despite setting up an Oracle honeypot, our logs also recorded numerous other types of attacks, indicating that adversaries are broadly scanning the internet for various vulnerabilities.

This data highlights that Generic Web Recon attempts were the most frequent activity, showing 967 requests from 78 unique IPs, though categorized as low-severity informational probes. Conversely, higher severity attacks like Shell Command Injection (20 attempts from 4 unique IPs) and Command Injection (19 attempts from 13 unique IPs) were also observed, indicating attackers were actively seeking to execute code on the server using non-WebLogic-specific exploit methods. Path Traversal attacks were also notably high in volume, with 87 attempts coming from 26 unique IPs, suggesting widespread automated scanning for various application-level vulnerabilities.

Attack Tools & User Agents

In our logs, we also observed user agents and tools, distinguishing between malicious and benign activities. High-volume, low-unique-IP tools like libredtail-http (1,012 requests from 21 IPs) indicate persistent, large-scale malicious scanning operations, likely from a botnet. Similarly, the Nmap Scripting Engine (664 requests from 5 IPs) confirms targeted, in-depth reconnaissance by specific actors. Generic agents like Go-http-client and python-requests suggest widespread, lower-sophistication probing. Crucially, tools with a near 1:1 request-to-IP ratio, such as zgrab/0.x (166 requests from 141 IPs), CensysInspect (120 requests from 57 IPs), and Palo Alto Networks Scanner (70 requests from 69 IPs), are strong indicators of benign, large-scale research and security intelligence gathering, which are common and non-malicious presences on internet-exposed systems.

Most Targeted Endpoints

The log data on targeted endpoints reveals a clear hierarchy in attacker activity, with the root path (/) being overwhelmingly the most requested, logging 2,138 requests from 653 unique IPs, confirming widespread, generic reconnaissance as the highest volume activity. Beyond this initial probing, attackers display a pronounced interest in configuration and source code disclosure, evidenced by the high number of requests for /.env (95 requests/41 IPs) and /.git/config (71 requests/40 IPs). While non-WebLogic specific, the dataset also shows significant volume for known, high-impact vulnerabilities like the Hikvision CVE path (/SDK/webLanguage, 97 requests/4 IPs) and the PHPUnit RCE exploit (/phpunit/.../eval-stdin.php, 36+ requests/25 IPs), underscoring that the honeypot, despite its WebLogic focus, attracts automated scans targeting a broad spectrum of common, high-severity flaws, demonstrating a "spray and pray" approach by many threat actors.

Attacker Infrastructure: Top Organizations/ISPs Used

The data on attacker infrastructure reveals a reliance on a small number of hosting and cloud providers for launching malicious activity. HOSTGLOBAL.PLUS LTD (AS202306) stands out as the most heavily utilized organization, contributing 625 total requests from just 4 unique IP addresses, suggesting persistent, high-volume operations from a limited set of infrastructure. Similarly, DigitalOcean, LLC (AS14061) is popular, accounting for the highest number of unique IPs (28) and a significant volume of 461 requests, consistent with its status as a commonly used platform for renting VPS for scanning and exploitation. The inclusion of Microsoft Corporation (AS8075) and Pfcloud UG (AS51396) also points to the exploitation of major cloud platforms for anonymity and scalability. Conversely, organizations like Censys, Inc. (AS398324), while having 16 unique IPs, registered only 90 total requests, aligning with its known role as a security research scanner, which generally performs low-volume, benign probes. This distribution highlights a clear operational preference among attackers for specific hosting providers that offer fast provisioning and minimal friction for launching mass-scale attacks.

Mitigations

To protect Oracle WebLogic Server environments from the vulnerabilities discussed, particularly the critical RCE flaws like CVE-2026-21962, CVE-2020-14882/14883, CVE-2020-2551, and CVE-2017-10271, organizations should implement the following steps:

1. Immediate Patching:
   
   • Apply Critical Patch Updates (CPUs): Immediately apply the latest Oracle Critical Patch Updates (CPUs). This is the single most effective mitigation. Ensure all components, including the WebLogic Server itself, console applications, and related components like Coherence, are updated.
   • Prioritize CVE-2026-21962: Given its recent active exploitation, the patch for CVE-2026-21962 must be applied immediately.
2. Network and Access Control:
   
   • Restrict Console Access: The WebLogic administrative console (which is the attack vector for several CVEs, including CVE-2026-21962 and CVE-2020-14882/14883) should never be exposed directly to the internet. Restrict access via firewalls, VPNs, or internal networks only.
   • Disable Unnecessary Protocols/Ports: Disable or restrict network access to sensitive protocols like IIOP/T3 (used in CVE-2020-2551) and WLS-WSAT (used in CVE-2017-10271) from untrusted networks. Configure firewall rules to only allow traffic from known, trusted sources to these ports.
3. Advanced Filtering and WAF:
   
   • Web Application Firewall (WAF): Deploy a WAF in front of the WebLogic servers to inspect and filter malicious traffic. Configure WAF rules to detect and block:
     
     • Requests containing specific path traversal sequences (e.g., %252e%252e%252f, ../) targeting the console path.
     • Exploit patterns for known vulnerabilities (e.g., signatures targeting ProxyServlet for CVE-2026-21962 or SOAP requests to /wls-wsat/ for CVE-2017-10271).
   • In-Depth Inspection: For CVEs related to deserialization (like CVE-2020-2551 and CVE-2017-10271), ensure deep packet inspection (DPI) or security agents are in place to block known serialized gadget chains.
4. Monitoring and Detection:
   
   • Monitor WebLogic Logs: Enhance logging and monitoring for all WebLogic components. Look for unusual activity, specifically:
     
     • Excessive or rapid attempts to access the console or common exploit paths.
     • Sudden execution of suspicious OS commands (e.g., wget, curl, sh, cmd.exe) in application logs or host process logs.
   • Alert on New IPs/Tools: Use the attacker infrastructure data provided (e.g., IPs from DigitalOcean, HOSTGLOBAL.PLUS) to prioritize and investigate traffic originating from these known malicious hosts.
5. Secure Configuration:
   
   • Remove Default Components: Where possible, remove or rename default components (like the WebLogic console if not actively used) to reduce the attack surface.
   • Principle of Least Privilege: Run the WebLogic Server process with the lowest possible operating system privileges to limit the potential damage from a successful RCE attack.

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia