When Oracle patched CVE-2026-21962 on January 20, 2026, the window between disclosure and live exploitation proved razor thin. Within 48 hours, a public exploit landed on GitHub. Within hours of that release, the first recorded attack against a honeypot arrived from IP 67.213.118.179. By February 3, 2026, researchers at CloudSEK and Imperva had logged more than 140,000 attack attempts across 21 countries in just 12 days. The vulnerability carried a CVSS 3.1 base score of 10.0, the maximum possible, making Oracle WebLogic’s proxy plugin one of the most dangerous attack surfaces in enterprise middleware today.

This was not an isolated event. Oracle’s WebLogic ecosystem has faced critical exploitation campaigns for nearly a decade. What distinguishes 2026 is the combination of a perfect-10 severity score, a near-instant public exploit, and a patching backlog that has left thousands of internet-facing servers vulnerable months after fixes became available. The June 4, 2026 CISA remediation deadline for a separate WebLogic flaw, CVE-2024-21182, underscored that federal agencies themselves were still racing to close gaps first disclosed in July 2024.

What Is CVE-2026-21962?

CVE-2026-21962 is a critical improper access control vulnerability in Oracle HTTP Server and the Oracle WebLogic Server Proxy Plug-in, components of Oracle Fusion Middleware. The flaw resides specifically in the WebLogic Server Proxy Plug-in for Apache HTTP Server and Microsoft IIS. An unauthenticated remote attacker with HTTP network access can send specially crafted requests to the affected proxy components and bypass security controls entirely.

Successful exploitation grants unauthorized read and write access to critical data handled by Oracle HTTP Server. In practice, that means an attacker can create, delete, or modify any data accessible to the web server, compromising both the confidentiality and integrity of the entire server stack. The vulnerability affects changed scope in CVSS terms: the initial vulnerable component is the proxy plug-in, but successful attacks can cascade into backend WebLogic systems, multiplying the impact.

The underlying root cause is a URI normalization inconsistency between Oracle HTTP Server with its default configuration and the backend WebLogic server. Researcher gregk4sec first identified this path-traversal elevation-of-privilege vector on September 24, 2025, nearly four months before Oracle disclosed the flaw publicly. That four-month gap between discovery and patch is significant: it means the flaw had been known, at least privately, for an extended period before organizations had any chance to act.

The CVSS 3.1 vector for CVE-2026-21962 reflects its exceptional danger: low attack complexity, no authentication required, no user interaction needed, network-accessible attack vector, high confidentiality impact, high integrity impact, and scope change. These characteristics place it in the rarest tier of vulnerabilities, alongside flaws like Log4Shell and the ProxyShell Exchange chain.

The Disclosure and Exploit Timeline

Oracle disclosed CVE-2026-21962 on January 20, 2026, as part of its quarterly Critical Patch Update (CPU). The same CPU addressed hundreds of other vulnerabilities across Oracle’s product portfolio, but CVE-2026-21962 stood out for its maximum severity rating. Oracle’s risk matrix flagged it as remotely exploitable without authentication, over HTTP, with changed scope.

Two days later, on January 22, 2026, gregk4sec published the public proof-of-concept exploit code on GitHub. The exploit demonstrated the path-traversal technique exploiting URI normalization differences between the Oracle OHS front end and the WebLogic back end. Within hours of that GitHub publication, the first attack attempt hit a CloudSEK honeypot running a simulated vulnerable Oracle WebLogic Server version 14.1.1.0.0. The attacker’s IP, 67.213.118.179, had already been flagged across multiple reports on AbuseIPDB, indicating a seasoned threat actor or automated scanner prepositioned to target new high-value CVEs.

Other attackers began scanning the broader internet by January 27, 2026. All observed attacker IPs used rented Virtual Private Servers (VPS), a standard operational security practice that makes attribution difficult but signals organized, resourced threat actors rather than opportunistic script kiddies. The 12-day CloudSEK honeypot study ran from January 22 through February 3, 2026, capturing 140,000 attack attempts in that window alone.

This timeline mirrors a disturbing pattern across high-severity enterprise middleware vulnerabilities. Time-to-exploit is shrinking across the industry. A 2024 Mandiant study found the average time between public disclosure and first known exploitation dropped from 63 days in 2018 to fewer than 5 days in 2024. For CVE-2026-21962, that window compressed to roughly 2 days.

How the Attack Works: URI Normalization as a Weapon

The technical mechanism behind CVE-2026-21962 exploits a classic but underappreciated inconsistency in how different components of a web stack interpret URL paths. Oracle HTTP Server, running the WebLogic Server Proxy Plug-in, normalizes incoming URIs differently than the backend WebLogic application server does. An attacker crafts an HTTP request with a specially formatted URI that the front-end proxy treats as a legitimate request to a non-restricted path but that the backend WebLogic server maps to a privileged resource.

This path-traversal elevation-of-privilege technique bypasses access control checks at the proxy layer. Because the WebLogic Proxy Plug-in acts as the trust boundary between external traffic and backend applications, compromising it means all data the backend server touches is potentially exposed. In enterprise deployments, WebLogic servers commonly handle financial transactions, healthcare records, government data, and manufacturing workflows.

Security researchers at NetSPI characterized the flaw as particularly dangerous because it requires no prior foothold in the target environment. An attacker scanning the internet for exposed Oracle HTTP Server deployments can move from initial reconnaissance to active exploitation using only the public PoC code. The attack does not require social engineering, credential theft, or any access to internal systems. It is a direct remote attack path from the open internet.

CVE-2026-21962 targets the HTTP proxy layer, but WebLogic’s broader attack surface also includes the T3 and IIOP protocols used for internal Java component communication. CVE-2024-21182, a separate flaw patched in July 2024 but still actively exploited in June 2026, uses precisely these protocols. T3 and IIOP are often exposed on the same ports as HTTP traffic in misconfigured deployments, giving attackers multiple attack vectors into a single WebLogic installation. Security teams hardening against CVE-2026-21962 should simultaneously audit T3 and IIOP exposure as part of a complete WebLogic security posture review.

Attack Statistics: 140,000 Hits Across 21 Countries

The quantitative picture of CVE-2026-21962 exploitation is stark. Imperva, which monitors attack traffic for its global customer base, reported more than 140,000 attack attempts targeting 21 countries during the initial exploitation surge. The geographic distribution was heavily skewed: approximately 75% of attacks targeted US-based sites, with Poland emerging as the second most targeted country. Attacks originated from 9 distinct source countries, and targets spanned 18 industries.

Computing and IT organizations represented the primary target sector, which reflects WebLogic’s concentration in technology infrastructure. Financial services, government, healthcare, and telecommunications round out the most exposed sectors. WebLogic’s role as the backbone for Oracle-based enterprise resource planning (ERP) systems means that any compromise can cascade into business-critical data that attackers can monetize through extortion, data sales, or ransomware deployment.

MetricValueSource / Period
Total attack attempts logged140,000+Imperva / CloudSEK, Jan 22 – Feb 3, 2026
Countries targeted21Imperva, Jan–Feb 2026
Share of attacks targeting US~75%Imperva / CloudSEK, Jan–Feb 2026
Second-most targeted countryPolandCloudSEK honeypot study
Attacker source countries9CloudSEK honeypot study
Industries targeted18CloudSEK / Imperva
Days from disclosure to first exploit2GitHub / CloudSEK timeline
Days from exploit to honeypot hitHours (same day)CloudSEK (Jan 22, 2026)
Exposed WebLogic servers (Shodan, Jun 2026)1,500+CISA advisory, Jun 2026
Servers on v12.2.1.4.0 still unpatched961Shodan scan, Jun 2026
Servers on v14.1.1.0.0 still unpatched631Shodan scan, Jun 2026

Affected Products and Versions

CVE-2026-21962 affects Oracle HTTP Server and the WebLogic Server Proxy Plug-in across multiple versions of Oracle Fusion Middleware. For the Apache HTTP Server proxy plug-in, affected versions include 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0. For the WebLogic Server Proxy Plug-in for Microsoft IIS, only version 12.2.1.4.0 is confirmed affected.

The breadth of affected versions matters in practice. Version 12.2.1.4.0 remains in extended support, meaning organizations that have not upgraded face both this flaw and a growing list of other unpatched vulnerabilities. Version 14.1.1.0.0 is Oracle’s current long-term support release, making it the most widely deployed version in enterprise environments. The presence of both versions among the vulnerable population confirms that neither upgrade currency nor support status alone protects organizations.

Remediation requires applying Oracle’s January 2026 Critical Patch Update for all affected versions. Oracle also published workaround instructions for organizations that cannot immediately apply the full patch. Workarounds typically involve restricting access to the WebLogic Server Proxy Plug-in to trusted IP ranges and disabling the plug-in on hosts where it is not operationally required.

Expert Analysis: What Researchers Are Saying

Security researchers across multiple firms have provided public commentary on CVE-2026-21962 that frames both the technical risk and the organizational challenge of responding to maximum-severity middleware vulnerabilities.

Arctic Wolf’s threat intelligence team wrote in January 2026 that “threat actors may target this vulnerability in the future due to the ease of exploitation over the internet and the level of access it could provide.” Arctic Wolf noted that it had not yet observed active exploitation at the time of its advisory, but flagged the vulnerability as high-priority given the combination of unauthenticated access and maximum severity score. By late January, the honeypot data proved that prediction correct.

CloudSEK’s research team, which operated the high-interaction honeypot, stated that their study demonstrated how quickly WebLogic flaws become weaponized. The team found that immediately after public exploit code was released for CVE-2026-21962, automated exploitation attempts surged. The 140,000 attempts across 12 days represent an average of nearly 11,700 attacks per day, a volume that would overwhelm any organization relying solely on manual monitoring.

Imperva’s security team documented that CVE-2026-21962 attacks targeted 21 countries globally, with approximately 75% directed at US-based sites, followed by Poland, with sources in 9 countries and targets across 18 industries, primarily Computing and IT. Imperva confirmed it had deployed protections for its customer base against CVE-2026-21962 in the Oracle HTTP Server and WebLogic proxy stack.

NetSPI described CVE-2026-21962 as a critical flaw within the Oracle WebLogic Server Proxy Plugin request handling logic, with remote, unauthenticated HTTP-based exploitation as its attack vector. NetSPI highlighted that the vulnerability’s combination of low attack complexity and high potential compromise made it a priority remediation target regardless of an organization’s existing patching cadence, arguing that the usual business-cycle approach to quarterly CPU application was not appropriate for a CVSS 10.0 flaw with public exploit code.

The California Cybersecurity Integration Center (Cal-CSIC) also issued an advisory in January 2026, noting that CVE-2026-21962 carries a CVSS 3.1 score of 10.0 and that successful exploitation grants an unauthenticated attacker unauthorized creation, deletion, and modification access to Oracle HTTP Server and WebLogic Server Proxy Plug-in data via specially crafted HTTP requests. The attacker can create, delete, or modify any data accessible to the web server, greatly compromising the integrity and confidentiality of the entire server.

Historical Context: WebLogic’s Decade as a Top Target

Oracle WebLogic Server is not a newcomer to the vulnerability landscape. It has been a persistent target for threat actors for nearly a decade, and the CVE-2026-21962 campaign fits a well-established pattern of rapid weaponization of WebLogic flaws.

CVE-2017-10271, a remote code execution flaw in the WLS-WSAT component, was exploited in mass campaigns starting in 2017 and still appeared in CloudSEK’s 2026 honeypot as an active scanning target nine years later. CVE-2020-14882 and CVE-2020-14883, which allowed unauthenticated console RCE, were weaponized within days of their October 2020 disclosure and used in cryptocurrency mining campaigns, botnet recruitment, and ransomware staging. CVE-2020-2551, an IIOP-based RCE flaw, added another vector to the ecosystem.

The persistence of these older CVEs in active scanning campaigns reveals a fundamental problem in enterprise middleware patching. Organizations running WebLogic in complex, high-availability environments face significant operational risk from applying patches because middleware updates can break application compatibility. This friction between security and operational stability means that some WebLogic instances carry unpatched vulnerabilities that are years old. The Shodan data showing 1,500+ servers still vulnerable to a July 2024 flaw in June 2026 is direct evidence of this dynamic.

The Cl0p ransomware group exploited a zero-day in Oracle E-Business Suite, another Oracle Fusion Middleware product, in late 2025, conducting a large-scale data theft and extortion campaign. That campaign demonstrated that high-profile threat actors with ransomware capabilities are actively hunting for Oracle middleware weaknesses. While Cl0p has not been directly linked to CVE-2026-21962 exploitation, the proximity of the two incidents in the Oracle Fusion Middleware ecosystem serves as a concrete warning signal for security teams protecting WebLogic-dependent infrastructure.

The CISA Response: Federal Agencies on the Clock

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has maintained active oversight of Oracle WebLogic vulnerabilities throughout 2025 and 2026. On June 3, 2026, CISA added CVE-2024-21182 to its Known Exploited Vulnerabilities (KEV) Catalog and issued a remediation deadline of June 4, 2026, under Binding Operational Directive 22-01 (BOD 22-01). That directive requires all U.S. federal civilian agencies to remediate KEV-listed vulnerabilities by the specified deadline or obtain documented risk acceptance from agency leadership.

CVE-2024-21182 is a separate WebLogic flaw from CVE-2026-21962, but its June 2026 KEV listing illustrates that even vulnerabilities patched two years prior remain unaddressed in production systems. CISA’s advisory noted that more than 1,500 publicly accessible Oracle WebLogic servers remained vulnerable at the time of listing, with 961 running version 12.2.1.4.0 and 631 running version 14.1.1.0.0, according to Shodan data.

The June 4, 2026 deadline also coincided with remediation requirements for two other actively exploited vulnerabilities: Trend Micro Apex One and a flaw in the Langflow AI workflow platform. CISA added a fourth CVE that same week: CVE-2026-45247, a deserialization of untrusted data vulnerability actively exploited against Magento web shops. The clustering of multiple critical remediation deadlines on the same date reflects the accelerating pace of enterprise vulnerability exploitation and the sustained pressure on security operations teams to prioritize.

For organizations outside the federal civilian space, the KEV catalog serves as a prioritization tool rather than a mandate. Security teams can use CISA’s catalog as a risk-based patching guide, focusing remediation effort on vulnerabilities with confirmed real-world exploitation before moving to theoretical risks. Both CVE-2024-21182 and CVE-2026-21962 qualify as top-priority items under this framework given their combination of maximum severity and documented active exploitation.

Oracle’s April 2026 CPU: 59 More Patches, 46 Remotely Exploitable

Oracle’s April 2026 Critical Patch Update added further urgency to the WebLogic security picture. The April 2026 CPU shipped 59 new security patches for Oracle Fusion Middleware, of which 46 addressed vulnerabilities remotely exploitable without authentication. That ratio, 78% of middleware patches covering unauthenticated remote attack vectors, is a sobering indicator of the attack surface that organizations expose when they deploy Oracle Fusion Middleware components on internet-accessible infrastructure.

Two April 2026 CVEs warrant specific attention for WebLogic administrators. CVE-2026-34305 is an unauthenticated information disclosure flaw in the WebLogic Server Web Services component, carrying a CVSS 3.1 base score of 7.5. It affects four supported version trains: 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. An unauthenticated attacker can send crafted HTTP requests and receive critical server data in return, providing reconnaissance information that can feed subsequent higher-impact attacks.

CVE-2026-34292 is a privilege escalation vulnerability in the Core component of WebLogic Server, affecting versions 12.2.1.4.0 and 14.1.1.0.0. While it requires a high-privileged attacker, meaning initial access is a prerequisite, successful exploitation results in complete takeover of the affected WebLogic Server instance. In environments where CVE-2026-21962 or CVE-2024-21182 could provide that initial access, CVE-2026-34292 becomes a chained privilege escalation risk that security teams must account for in their threat models.

CVE Comparison: Oracle WebLogic Vulnerabilities 2024-2026

CVECVSS ScoreComponentAuth RequiredAttack VectorPatch DateCISA KEV Listed
CVE-2026-2196210.0HTTP Server / Proxy Plug-inNoHTTP (remote)Jan 20, 2026No (as of Jun 2026)
CVE-2024-21182CriticalWebLogic Core (T3/IIOP)NoT3 / IIOP (remote)Jul 2024Yes, deadline Jun 4, 2026
CVE-2026-343057.5Web Services componentNoHTTP (remote)Apr 2026No
CVE-2026-34292CriticalCore componentYes (high priv)HTTP (remote)Apr 2026No
CVE-2025-21535CriticalCore componentNot disclosedNetworkJan 2025No
CVE-2020-14882/148839.8 / 7.2Console (RCE)NoHTTP (remote)Oct 2020Yes
CVE-2017-102717.5WLS-WSAT componentNoHTTP (remote)Oct 2017Yes

Who Is Most at Risk? Industries and Geographies

Oracle WebLogic Server’s market position concentrates its attack surface in specific industry verticals and geographies. Oracle’s enterprise software customer base skews heavily toward large enterprises in financial services, government, healthcare, manufacturing, telecommunications, and utilities. These sectors share two characteristics that make WebLogic exploitation particularly consequential: they handle sensitive data at scale, and they operate in regulatory environments where data breaches carry fines, mandatory notification requirements, and reputational penalties.

The financial services sector faces compounded risk because Oracle WebLogic frequently underpins core banking applications, payment processing infrastructure, and trading platforms. A successful exploitation that leads to data modification, not just data theft, could produce incorrect financial records or corrupted transaction logs, risks with operational and regulatory consequences that extend far beyond the typical breach scenario.

Government agencies present a different risk profile. Many government WebLogic deployments run on-premises behind network perimeters, which reduces direct internet exposure. But the persistence of CVE-2024-21182 in the CISA KEV catalog, combined with the June 4 federal deadline, confirms that government WebLogic instances are not uniformly isolated from internet-accessible attack surfaces. Edge deployments, API gateways, and cloud-hosted government applications all represent potential entry points.

Geographically, the dominance of US targets in the CVE-2026-21962 honeypot data reflects the concentration of large Oracle enterprise deployments in North America. The emergence of Poland as the second most targeted country is less expected and may reflect specific sectors in Eastern Europe running Oracle Fusion Middleware, or attacker infrastructure routing through the region.

Mitigation Steps: Securing WebLogic Against Active Exploitation

Organizations with Oracle WebLogic deployments should treat the January 2026 CPU patch for CVE-2026-21962 as an emergency remediation item, not a scheduled maintenance task. The following steps reflect guidance from Oracle, CISA, SentinelOne, Arctic Wolf, and NetSPI.

Immediate Actions (Within 24 Hours)

  • Apply Oracle’s January 2026 Critical Patch Update to all affected versions of Oracle HTTP Server and the WebLogic Server Proxy Plug-in: versions 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0 for Apache; version 12.2.1.4.0 for IIS.
  • Inventory all internet-facing WebLogic deployments using your configuration management database and cross-reference against Shodan or your preferred attack surface management tool to identify exposures you may not know about.
  • If patching cannot be completed immediately, apply Oracle’s published workaround: restrict access to the WebLogic Server Proxy Plug-in to known trusted IP ranges using firewall rules or load balancer ACLs.
  • Disable the WebLogic Server Proxy Plug-in entirely on any host where it is not operationally required. The plug-in significantly expands attack surface and is not needed in all configurations.

Short-Term Actions (Within 7 Days)

  • Review and audit authentication and administrative access logs for all WebLogic instances for signs of compromise, particularly unusual HTTP request patterns targeting proxy plug-in URIs.
  • Restrict T3 and IIOP protocol access (relevant for CVE-2024-21182 and other WebLogic flaws) to trusted internal networks only. These protocols should never be exposed to the internet.
  • Apply the April 2026 CPU if not yet applied, which addresses CVE-2026-34305 and CVE-2026-34292 among 59 other patches.
  • Implement network segmentation to isolate WebLogic Server instances from untrusted network zones, limiting lateral movement if an initial compromise occurs.
  • Enable enhanced logging and monitoring on WebLogic Server to detect unusual request patterns that may indicate exploitation attempts or active compromise.
  • Enforce multi-factor authentication for all WebLogic administrative console access.

Market Impact: Enterprise Middleware Security Under Scrutiny

The wave of critical Oracle WebLogic vulnerabilities in 2025 and 2026 is accelerating two market trends that were already underway: the shift toward cloud-hosted application server alternatives, and increased investment in attack surface management (ASM) and vulnerability prioritization tooling.

Organizations that have been delaying WebLogic-to-cloud migrations are now confronting the security cost of that delay in concrete terms. Oracle’s own cloud infrastructure (OCI) provides managed WebLogic deployments where Oracle handles patching cadence, but organizations running on-premises or on third-party cloud infrastructure retain full patching responsibility. The operational complexity of that responsibility, demonstrated by the 1,500+ servers still vulnerable to a two-year-old flaw, is making the managed-cloud value proposition more compelling to procurement teams.

The attack surface management market receives further validation from the WebLogic situation. Shodan data revealing 1,500+ vulnerable internet-facing WebLogic servers months after patch availability illustrates exactly the gap that ASM tools aim to close. Vendors including Tenable, Qualys, Rapid7, and Censys highlighted the WebLogic exposure in their threat intelligence communications in Q1-Q2 2026, positioning their platforms as essential for organizations that need real-time visibility into their WebLogic footprint.

From a vendor trust perspective, Oracle’s quarterly CPU model is under increased scrutiny. Critics argue that a quarterly patching cadence is insufficient for critical severity flaws with actively available public exploits. The 48-hour window between Oracle’s January 2026 CPU and the first public exploit for CVE-2026-21962 leaves organizations with a two-day exposure window even if they patch immediately upon CPU release. Many organizations take weeks or months to apply quarterly patches to production systems. Calls for Oracle to adopt an emergency out-of-band patching mechanism for CVSS 9.0 and above vulnerabilities have grown louder following this incident.

Predictions: Five Developments to Watch Through 2027

Based on the current exploitation trajectory and the broader WebLogic vulnerability ecosystem, five developments are likely in the 12 months following the CVE-2026-21962 disclosure.

Ransomware groups will adopt CVE-2026-21962 as an initial access vector. Cl0p’s late-2025 Oracle E-Business Suite campaign demonstrated that organized ransomware operators are actively hunting Oracle Fusion Middleware weaknesses. CVE-2026-21962’s combination of maximum severity, public exploit code, and thousands of still-unpatched targets makes it a natural candidate. Formal attribution of a ransomware campaign leveraging this CVE is likely within the next 6 months.

CISA will add CVE-2026-21962 to the KEV catalog. CISA’s June 2026 addition of CVE-2024-21182 to KEV confirmed the agency’s willingness to list WebLogic flaws with demonstrated exploitation. Given the 140,000 attacks documented by Imperva and CloudSEK, CVE-2026-21962 meets the KEV threshold for confirmed exploitation in the wild. A formal KEV listing with an associated remediation deadline will likely follow within the next quarter.

Oracle will face pressure to move to emergency patching for CVSS 10.0 vulnerabilities. Industry groups, government agencies, and enterprise customers are increasingly vocal that a quarterly patching cadence cannot match the pace of modern vulnerability weaponization. Oracle is likely to introduce supplemental security alerts or expedited patch channels for maximum-severity flaws within the next two CPU cycles.

WebLogic-to-cloud migration velocity will accelerate in 2026. The combination of patching complexity, active exploitation, and maturing Oracle Cloud Infrastructure managed services presents a compelling business case for migration. Enterprise software buyers already accelerating cloud consolidation will use 2026’s WebLogic security incidents as internal justification for faster timelines and larger migration budgets.

Attack surface management adoption will increase in Oracle-heavy verticals. Financial services and government sectors, which account for a disproportionate share of WebLogic deployments, will prioritize ASM investments following the visibility gap exposed by 1,500 unpatched internet-facing servers. Procurement of continuous exposure management platforms will increase in these sectors through the end of 2026.

Frequently Asked Questions

What is CVE-2026-21962 and why does it have a CVSS score of 10.0?

CVE-2026-21962 is a critical improper access control vulnerability in Oracle HTTP Server and the WebLogic Server Proxy Plug-in. Its CVSS 3.1 score of 10.0 reflects the worst-case combination of attributes: unauthenticated remote exploitation over HTTP, low attack complexity, no user interaction required, changed scope (the attack impacts systems beyond the vulnerable component), and high confidentiality and integrity impact.

Is CVE-2026-21962 the same as CVE-2024-21182?

No. These are two separate Oracle WebLogic vulnerabilities. CVE-2024-21182 targets the WebLogic Server Core component using the T3 and IIOP protocols and was patched in July 2024. CVE-2026-21962 targets the WebLogic Server Proxy Plug-in via HTTP and was patched in January 2026. Both are actively exploited in 2026, and CISA added CVE-2024-21182 to its KEV catalog with a June 4, 2026 remediation deadline for federal agencies.

How quickly can an attacker exploit CVE-2026-21962?

Public exploit code appeared on GitHub within 48 hours of Oracle’s disclosure. The first recorded attacks against a honeypot occurred within hours of the PoC publication. An attacker scanning the internet for exposed Oracle HTTP Server deployments can launch exploitation attempts using freely available tools. No authentication, credentials, or social engineering are required.

Which Oracle WebLogic versions are affected by CVE-2026-21962?

For the WebLogic Server Proxy Plug-in for Apache HTTP Server: versions 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0. For the WebLogic Server Proxy Plug-in for Microsoft IIS: version 12.2.1.4.0 only. Apply Oracle’s January 2026 Critical Patch Update to remediate the vulnerability in all affected configurations.

Has any ransomware group been confirmed exploiting CVE-2026-21962?

As of June 2026, no ransomware group has been formally attributed to CVE-2026-21962 exploitation. However, the Cl0p ransomware group exploited a separate Oracle Fusion Middleware zero-day in Oracle E-Business Suite in late 2025, demonstrating that sophisticated ransomware operators actively target Oracle middleware products. CVE-2026-21962’s maximum severity score and public exploit code make it a likely near-term ransomware initial access vector.

What should I do if I cannot apply the January 2026 CPU immediately?

Oracle published workaround instructions alongside the January 2026 CPU. At minimum, restrict access to the WebLogic Server Proxy Plug-in to known trusted IP ranges using firewall rules or load balancer access control lists. Disable the plug-in entirely on hosts where it is not operationally required. Implement enhanced logging to detect exploitation attempts while the patch is staged for production deployment.

Is this vulnerability relevant to Oracle WebLogic on Oracle Cloud Infrastructure (OCI)?

Organizations using Oracle’s managed WebLogic service on OCI should consult Oracle’s cloud advisories directly, as managed service patching timelines differ from on-premises CPU schedules. On-premises and self-managed cloud deployments are fully responsible for applying the January 2026 CPU. Confirmation of patch status should be verified through the OCI console or Oracle support channels regardless of your deployment model.

Why do older WebLogic CVEs from 2017 and 2020 still appear in active attacks?

Enterprises running WebLogic in complex, high-availability environments face significant operational risk from applying patches because middleware updates can break application compatibility. This friction between security and operational stability creates a long tail of unpatched servers. Attackers exploit this by maintaining scanners that probe for old CVEs alongside new ones, ensuring any unpatched server is found regardless of when its vulnerability was first disclosed.

For more context on the enterprise vulnerability landscape and related security topics covered at shattered.io:

External sources: CloudSEK honeypot study on CVE-2026-21962 | NetSPI technical analysis | Arctic Wolf advisory | Imperva attack statistics | Oracle January 2026 Critical Patch Update