Executive Summary

This report analyzes attack data collected from a high-interaction honeypot simulating a vulnerable Oracle WebLogic Server (v14.1.1.0.0) over a 12-day period (Jan 22 - Feb 3, 2026). The primary focus is the immediate and widespread exploitation of the newly disclosed, critical unauthenticated Remote Code Execution (RCE) vulnerability, CVE-2026-21962 (CVSS: 10.0). Attack attempts targeting this zero-day-like flaw were observed immediately following the public release of its exploit code, demonstrating the rapid weaponization of critical Oracle WebLogic vulnerabilities.

In addition to CVE-2026-21962, the honeypot captured attacks targeting other persistent, critical WebLogic RCE flaws, including CVE-2020-14882/14883 (Console RCE), CVE-2020-2551 (IIOP RCE), and CVE-2017-10271 (WLS-WSAT RCE). This confirms that threat actors continue to rely on a small set of highly-effective, simple-to-exploit vulnerabilities to compromise WebLogic environments.

Attackers predominantly utilized rented Virtual Private Servers (VPS) from common hosting providers like DigitalOcean and HOSTGLOBAL.PLUS. The overall activity was characterized by high-volume, automated scanning, with tools like libredtail-http and the Nmap Scripting Engine dominating the malicious traffic. Furthermore, the logs revealed significant background noise, including attempts to exploit non-WebLogic-specific vulnerabilities (e.g., Hikvision CVE, PHPUnit RCE, and generic command injections), indicating a broad "spray and pray" approach by threat actors. 

The data underscores the critical and immediate need for organizations to prioritize the patching of CVE-2026-21962 and implement robust layered defenses, including strict access control for the administrative console and WAF filtering, to mitigate the severe RCE risk posed by these unauthenticated exploits.

The Honeypot Setup

The data collection was performed using a high-interaction honeypot, meticulously designed to replicate a production Oracle WebLogic environment. The core of the setup featured a genuine, unpatched Oracle WebLogic Server (v14.1.1.0.0), intentionally.

All traffic is first routed through a reverse Nginx proxy, which acts as the primary data collection point. This proxy is configured to log every single request, including full headers, the request body, and other metadata. These logs are then shipped via Promtail to a centralized Loki instance for aggregation and storage.

This multi-layered approach ensures that all interactions are captured, from initial probes to full-blown exploit attempts, providing a rich dataset for analysis. The entire system is observable in real-time through Grafana dashboards, which visualize the logged data, and Prometheus, which provides alerting on suspicious activities.

Oracle CVEs Being Exploited in the Wild

Note: The analysis is based on data collected over a short 12-day period, specifically from January 22, 2026, to February 3, 2026.

CVE-2026-21962

Description

CVE-2026-21962 is a critical vulnerability affecting the Oracle WebLogic Server Console, allowing for unauthenticated Remote Code Execution (RCE). The vulnerability, which carries a maximum CVSS score of 10.0, is believed to stem from an improper input validation flaw within the console's web components, allowing a specially crafted HTTP request to execute arbitrary operating system commands on the vulnerable server. This flaw poses an immediate and severe risk, as successful exploitation requires no prior authentication and grants an attacker full control over the compromised WebLogic instance and its host system.

Attack Vectors

HTTP GET requests to 

• /_proxy//weblogic/..;/bea_wls_internal/ProxyServlet
• /wl_proxy//weblogic/..;/bea_wls_internal/ProxyServlet

Top Attackers

The public exploit for this CVE was released on 22 Jan on Github. Since then we saw the first exploitation attempt by ‘67.213.118.179’ on the 22nd Jan itself while the other attackers started scanning the internet on 27th Jan. This IP has been reported in multiple reports on AbuseIpdb. The attackers appear to have utilized rented Virtual Private Servers (VPS) for all the IP addresses observed.

This swift adoption by attackers highlights its attractiveness and the immediate need for patching. Organizations running unpatched Oracle WebLogic Server versions are critically exposed to this zero-day-like threat, which enables everything from data theft to the deployment of persistent backdoors and malware, all executed through a simple, unauthenticated web request.

CVE-2020-14882/14883

Description

This pair of critical vulnerabilities allows an unauthenticated attacker to achieve Remote Code Execution (RCE) on Oracle WebLogic Server instances through the administrative console. Specifically, CVE-2020-14882 allows bypassing authentication to access the console, and CVE-2020-14883 allows RCE once authentication is bypassed, typically via a path traversal vulnerability that abuses how the console handles certain URL-encoded paths. Exploitation is simple, requiring only a specially crafted HTTP POST request to the /console/images/%252e%252e%252fconsole.portal endpoint, making it a highly attractive target for threat actors seeking to compromise WebLogic servers globally

Attack Vectors

• HTTP POST request to the /console/images/%252e%252e%252fconsole.portal

Top Attackers

‍

‍

‍

‍