ThreatLevelBeta
Emergency Fix

CVE-2026-21962

Unauthenticated Remote Code Execution in Oracle HTTP Server / WebLogic Proxy Plug-in (pre-auth)
Loading...

Summary

An unauthenticated, network-exploitable flaw in the WebLogic Server Proxy Plug-in (used by Oracle HTTP Server for Apache and IIS) allows specially crafted HTTP requests to reach protected proxy servlets and inject commands. The issue arises from improper request/path handling and unsanitized header processing (pre-auth), enabling remote command execution and full compromise of affected middleware and potentially downstream systems.

Why Emergency Fix?

6/6
No authentication required
Commonly internet-facing deployment
No user interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
github.com
Impact

Execute arbitrary operating-system commands as the process user running Oracle HTTP Server / WebLogic proxy, enabling full system compromise and access to proxied/backend data.

RCE (Remote Code Execution)
Exploitation Requirements
  • Unauthenticated network (HTTP/S) access to an instance where the WebLogic Proxy
  • e.g.
  • /weblogic/..
  • /bea_wls_internal/ProxyServlet)
  • no credentials or special config required.
Exploitation Process

An attacker sends crafted HTTP requests that abuse path normalization and the proxy plug-in's forwarding logic (examples: requests containing the sequence '..;' to bypass path restrictions and reach internal ProxyServlet endpoints). Once the ProxyServlet is reached, attacker-controlled header values (e.g., WL-Proxy-Client-IP or custom headers used by the plug-in/template) are passed without sufficient sanitization and used in a context that leads to command execution. Successful exploitation can be verified by returned command output in HTTP responses or by establishing reverse shells to the attacker-controlled listener.

Detection Resources
Manual Detection
netspi.comcvereports.comfieldeffect.com
3
Script Detection
github.com
1
Scanner Detection
Tenable NessusRapid7 InsightVM
2

Affected Software

Vendor:Oracle
ProductAffected Versions
Oracle HTTP Server12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0
WebLogic Server Proxy Plug-in for Apache HTTP Server12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0
WebLogic Server Proxy Plug-in for IIS12.2.1.4.0
Description

Oracle HTTP Server is a web server used to deliver HTTP/S traffic and act as a reverse proxy; the WebLogic Server Proxy Plug-in forwards requests from the HTTP Server (Apache or IIS) to backend Oracle WebLogic Server instances.

Deployment:Commonly internet-facing
|
Protocol:HTTP
|
Ports:80, 443, 7001
Affected ComponentWebLogic Server Proxy Plug-in (Apache/IIS) request-forwarding component (ProxyServlet/proxy endpoints) that handles incoming HTTP requests and headers used to preserve client identity.

WebLogic Server Proxy Plug-in (Apache/IIS) request-forwarding component (ProxyServlet/proxy endpoints) that handles incoming HTTP requests and headers used to preserve client identity.

Affected Endpoints(4)/weblogic/..;/bea_wls_internal/ProxyServlet, /wl_proxy/..;/bea_wls_internal/ProxyServlet…
1./weblogic/..;/bea_wls_internal/ProxyServlet
2./wl_proxy/..;/bea_wls_internal/ProxyServlet
3./_proxy/..;/bea_wls_internal/ProxyServlet
4./proxy/..;/bea_wls_internal/ProxyServlet
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Block or deny external access to internal proxy servlet paths (e.g., block requests matching /bea_wls_internal/* and the '..;' traversal pattern at the web server or WAF), implement WAF rules to drop requests containing the '..;' sequence targeting proxy endpoints, and restrict/disable the ProxyServlet if not required.

Block or deny external access to internal proxy servlet paths (e.g., block requests matching /bea_wls_internal/* and the '..;' traversal pattern at the web server or WAF), implement WAF rules to drop requests containing the '..;' sequence targeting proxy endpoints, and restrict/disable the ProxyServlet if not required.

cvereports.com
Patch
Apply the Oracle CPU/JAN-2026 product bundle patches or the vendor-provided bundle patches for affected releases (example MOS patch references: Patch 38856415 / WLS stack patch bundles distributed via My Oracle Support).

Apply the Oracle CPU/JAN-2026 product bundle patches or the vendor-provided bundle patches for affected releases (example MOS patch references: Patch 38856415 / WLS stack patch bundles distributed via My Oracle Support).

support.oracle.com
Update
Apply Oracle Critical Patch Update (CPU) January 2026 which contains fixes for Oracle HTTP Server and WebLogic Server Proxy Plug-in (updates for affected Fusion Middleware components).

Apply Oracle Critical Patch Update (CPU) January 2026 which contains fixes for Oracle HTTP Server and WebLogic Server Proxy Plug-in (updates for affected Fusion Middleware components).

www.oracle.com
Threat Intelligence
EPSS Score0.0%

Probability of exploitation in the next 30 days

EPSS Percentile4%

Worse than 4% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
Active
cloudsek.com
Threat Actors

No known threat actors

Detection Rules3
Sigma
Detect HTTP requests with path traversal to internal ProxyServlet and injected proxy headers (uri contains '..;' and '/bea_wls_internal/ProxyServlet' or '/wl_proxy/..;').
Snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"CVE-2026-21962 Oracle WebLogic proxy traversal attempt"; flow:established,to_server; uricontent:"..;/bea_wls_internal/ProxyServlet"; http_header; content:"WL-Proxy-Client-IP"; pcre:"/\;[A-Za-z0-9+\/=]{8,}/"; sid:1000001; rev:1;)
KQL
search webserver logs for request_uri contains "bea_wls_internal/ProxyServlet" OR request_headers.WL-Proxy-Client-IP contains ";" followed by base64-like payload; report matches for investigation.

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

CVSS Base Score

10.0
Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-284 Improper Access Control
|
NVD:CVE-2026-21962
|
Version From:
|
Version Upto:

Affected Software (CPE) (6)

  • cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:http_server:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:http_server:14.1.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:12.2.1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:14.1.1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:14.1.2.0.0:*:*:*:*:*:*:*

Sources

10
SourceArticle
www.oracle.comhttps://www.oracle.com/security-alerts/cpujan2026.html
www.oracle.comhttps://www.oracle.com/security-alerts/cpujan2026verbose.html
github.comhttps://github.com/Ashwesker/Ashwesker-CVE-2026-21962
nvd.nist.govhttps://nvd.nist.gov/vuln/detail/CVE-2026-21962
www.tenable.comhttps://www.tenable.com/cve/CVE-2026-21962
www.rapid7.comhttps://www.rapid7.com/db/vulnerabilities/oracle-weblogic-cve-2026-21962/
cvereports.comhttps://cvereports.com/reports/CVE-2026-21962
www.netspi.comhttps://www.netspi.com/blog/executive-blog/critical-vulnerability/oracle-weblogic-server-proxy-plugin-cve-2026-21962-overview-takeaways/
fieldeffect.comhttps://fieldeffect.com/blog/poc-maximum-severity-oracle-proxy
cloudsek.comhttps://cloudsek.com/blog/honey-for-hackers-a-study-of-attacks-targeting-the-recent-cve-2026-21962-and-other-critical-weblogic-vulnerabilities-on-a-high-interactive-oracle-honeypot

Priority History

Fix SoonLoading...

Initial analysis

Emergency FixLoading...

Elevated — additional risk factors confirmed