Oracle WebLogic proxy flaw is under active attack, and honeypot data shows scanners moved fast

Attackers are actively probing and exploiting CVE-2026-21962, a maximum-severity Oracle flaw that Oracle patched in January 2026. But there is an important correction up front: this bug affects Oracle HTTP Server and the WebLogic Server Proxy Plug-in, not the core WebLogic Server itself. Oracle and NVD both describe it as an unauthenticated HTTP issue in the proxy plug-in components, with affected versions including 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0.

CloudSEK says attackers began hitting its high-interaction honeypot almost immediately after public exploit code appeared on January 22, 2026. The company observed automated exploitation attempts against a honeypot emulating a vulnerable 14.1.1.0.0 environment, which shows how quickly publicly available exploit material can turn into active scanning and attack traffic.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Oracle rated CVE-2026-21962 at 10.0 CVSS, and external write-ups from Imperva and Arctic Wolf also treated it as a high-priority patching issue because it is reachable over HTTP and does not require authentication. The impact Oracle published focuses on compromise of critical data through unauthorized creation, deletion, or modification access, not a vendor-confirmed blanket “full RCE on all WebLogic servers” statement.

What the honeypot saw

CloudSEK’s 12-day honeypot study found that attackers did not limit themselves to the newly disclosed flaw. The system recorded broad automated traffic aimed at CVE-2026-21962 as well as older WebLogic-related bugs such as CVE-2020-14882, CVE-2020-14883, CVE-2020-2551, and CVE-2017-10271. That pattern suggests opportunistic mass scanning rather than careful one-target-at-a-time intrusion work.

The researchers said many of the requests came from rented VPS infrastructure, including providers such as DigitalOcean and HOSTGLOBAL.PLUS. They also saw tooling patterns tied to high-volume automation, including Nmap Scripting Engine traffic and a client identified as libredtail-http, which generated more than 1,000 requests in the observed period.

CloudSEK also reported that the scanners cast a wider net than Oracle products alone. The same infrastructure probed for unrelated issues such as PHPUnit and Hikvision bugs, which reinforces the idea that many operators now run shared scanning stacks that test every exposed service they can find.

Why CVE-2026-21962 matters

NVD describes CVE-2026-21962 as an easily exploitable vulnerability in Oracle HTTP Server and Oracle WebLogic Server Proxy Plug-in components. The issue affects the Apache and IIS plug-ins and allows an unauthenticated attacker with network access via HTTP to compromise the affected product. Oracle published the fix in the January 2026 Critical Patch Update.

SANS Internet Storm Center published packet-level observations a week later and said the exploit uses unusual request handling tricks, including manipulation of X-Forwarded-For, to bypass restrictions. That lines up with broader reporting that framed the flaw as an authentication bypass or improper access control issue at the proxy layer rather than a generic console bug.

That distinction matters because many headlines blur “WebLogic” into one bucket. In reality, this bug sits at the perimeter layer for environments that use Oracle HTTP Server or the WebLogic proxy plug-ins. If that layer is exposed and unpatched, it can become the path attackers use to reach sensitive backend resources.

What organizations should do now

Oracle’s guidance is straightforward: apply the January 2026 CPU or later supported fixes. Since this flaw already has public exploit code and real-world attack traffic, delaying the patch leaves exposed systems at obvious risk.

Security teams should also stop exposing administrative and proxy surfaces directly to the public internet where possible. Imperva and CloudSEK both emphasize defensive controls such as strict network access, web application firewall coverage, and close monitoring for suspicious request paths and command execution attempts. Those controls do not replace patching, but they can reduce exposure while teams roll updates out.

The bigger lesson from CloudSEK’s data is speed. Once exploit code becomes public for a high-value enterprise product, attackers do not wait for a polished campaign. They start scanning immediately, reuse existing infrastructure, and test old and new bugs in the same pass. That makes rapid patching and tight exposure control more important than ever for Oracle-facing services.

Key points

• CVE-2026-21962 affects Oracle HTTP Server and WebLogic Server Proxy Plug-in components, not the core WebLogic Server product itself.
• Oracle assigned the flaw a CVSS score of 10.0 and patched it in the January 2026 CPU.
• CloudSEK saw exploitation attempts begin right after public exploit code appeared on January 22, 2026.
• Attackers used broad automated scanning and also probed older WebLogic bugs during the same activity window.
• Unpatched internet-exposed proxy infrastructure remains the main risk surface.

Attack activity summary

FAQ