A recent cybersecurity study reveals that threat actors are moving faster than ever to weaponize new software flaws.
According to data collected from a high-interaction honeypot, hackers are actively exploiting a newly disclosed, maximum-severity vulnerability in Oracle WebLogic Server.
The critical flaw, tracked as CVE-2026-21962, carries a CVSS score of 10.0. It allows unauthenticated attackers to execute arbitrary remote code (RCE) on vulnerable servers via the WebLogic Console.
Security researchers observed attack attempts immediately after the exploit code was published online on January 22, 2026.
This lightning-fast exploitation highlights the extreme risk posed to organizations running unpatched instances.
Honeypot Captures Automated Attacks
To understand the threat landscape, researchers deployed a high-interaction honeypot that mimics a vulnerable Oracle WebLogic Server (version 14.1.1.0.0) for 12 days.
The system quickly captured a massive surge in malicious traffic. Attackers primarily used rented Virtual Private Servers (VPS) from popular hosting providers, such as DigitalOcean and HOSTGLOBAL.PLUS, to launch high-volume, automated scans while hiding their true locations.
Instead of carefully targeted strikes, threat actors used a broad “spray and pray” approach.
Automated tools like libredtail-http (generating over 1,000 requests) and the Nmap Scripting Engine flooded the honeypot with malicious requests.
While the primary goal was compromising the new CVE-2026-21962 flaw via specific ProxyServlet HTTP GET requests, attackers also heavily tested the server for older, unpatched vulnerabilities.
The data confirms that cybercriminals do not just chase new zero-days; they also rely heavily on older, proven exploits.
Adapted for clear readability without complex data structures, the honeypot recorded steady attacks against several historical WebLogic vulnerabilities:
- CVE-2020-14882 and CVE-2020-14883: Critical RCE flaws (CVSS 9.8) targeting the administrative console by bypassing authentication.
- CVE-2020-2551: A severe deserialization vulnerability in the IIOP protocol that allows remote attackers to execute arbitrary code.
- CVE-2017-10271: An older but highly reliable XML deserialization flaw in the WLS-WSAT component, often exploited via crafted SOAP requests.
Interestingly, the automated scanners also identified completely unrelated vulnerabilities, such as bugs in Hikvision cameras and in PHPUnit, proving that attackers constantly cast a wide net, looking for any open door.
Mitigation Steps
The rapid weaponization of CVE-2026-21962 means organizations must act immediately to secure their networks.
According to CloudSEK, cybersecurity experts recommend the following critical defenses.:
- Apply Patches Immediately: Administrators must install the latest Oracle Critical Patch Updates (CPUs) across all components, prioritizing fixes for CVE-2026-21962.
- Restrict Console Access: The WebLogic administrative console should never be exposed directly to the public internet. Secure it behind a strict VPN or internal firewall.
- Deploy a Web Application Firewall (WAF): Configure WAF rules to detect and block malicious path traversal requests, Deep Packet Inspection (DPI) evasion attempts, and known exploit signatures.
- Monitor System Logs: Watch closely for unusual administrative access attempts or for the sudden execution of suspicious operating system commands such as wget or curl.
Leaving a WebLogic server exposed and unpatched is virtually guaranteed to result in a total system compromise.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
