A critical Oracle WebLogic vulnerability was weaponized almost immediately after public exploit code became available, according to a new honeypot-based analysis covering attack activity between January 22 and February 3, 2026.
The research focused on CVE-2026-21962, a remote code execution (RCE) flaw with a CVSS score of 10.0, and found that attackers began exploiting the vulnerability on the same day the exploit was released.
The CloudSEK study, published on March 25, used a high-interaction honeypot designed to replicate a real Oracle WebLogic Server environment.
Researchers recorded widespread automated scanning and exploitation attempts, confirming how quickly threat actors weaponize newly disclosed vulnerabilities.
Rapid Exploitation Observed
The most significant finding was the speed at which attackers adopted the CVE-2026-21962 exploit. Logs showed the first exploitation attempt occurred on January 22, the same day the exploit code was published. Additional scanning activity appeared days later as more attackers began probing internet-exposed servers.
Researchers also observed ongoing exploitation attempts targeting older but still widely abused WebLogic vulnerabilities, including:
-
CVE-2020-14882/14883 console remote code execution
-
CVE-2020-2551 IIOP deserialization remote code execution
-
CVE-2017-10271 WLS-WSAT deserialization remote code execution
This pattern shows attackers continue to rely on a small number of well-known vulnerabilities that remain effective against unpatched systems.
Automated Scanning and Broad Attacks
CloudSEK confirmed that most of the observed attacks originated from rented virtual private servers hosted by common cloud providers.
Activity was dominated by automated scanning tools, including libredtail-http and the Nmap Scripting Engine.
Read more on Oracle WebLogic security vulnerabilities: Oracle To Address 320 Vulnerabilities in January Patch Update
The honeypot also captured numerous non-WebLogic attacks, including command injection, path traversal attempts and reconnaissance activity. Generic web reconnaissance was the most frequent activity, accounting for 967 requests from 78 unique IP addresses over the 12-day period.
Mitigation and Security Recommendations
The report concluded that organizations running Oracle WebLogic servers should prioritize patching and defensive controls immediately. Key recommendations include:
-
Apply the latest Oracle security patches immediately
-
Restrict administrative console access from the internet
-
Disable unnecessary protocols and ports
-
Deploy web application firewall filtering
-
Monitor logs for suspicious activity
“The data underscores the critical and immediate need for organizations to prioritize the patching of CVE-2026-21962 and implement robust layered defenses,” CloudSEK warned, “including strict access control for the administrative console and WAF filtering, to mitigate the severe RCE risk posed by these unauthenticated exploits.”
