CVE-2026-35292 Overview
CVE-2026-35292 is a missing authentication vulnerability [CWE-306] in the Console component of Oracle WebLogic Server, part of Oracle Fusion Middleware. The flaw affects WebLogic Server versions 14.1.2.0.0 and 15.1.1.0.0. An unauthenticated attacker with network access over HTTP can compromise the server without user interaction. Successful exploitation results in full takeover of WebLogic Server and, due to a scope change, can impact additional connected products. Oracle disclosed the issue in the June 2026 Critical Security Patch Update.
Critical Impact
Unauthenticated remote attackers can take over Oracle WebLogic Server over HTTP, with cross-component impact through scope change.
Affected Products
- Oracle WebLogic Server 14.1.2.0.0
- Oracle WebLogic Server 15.1.1.0.0
- Oracle Fusion Middleware deployments using the affected Console component
Discovery Timeline
- 2026-06-17 - CVE-2026-35292 published to NVD
- 2026-06-18 - Last updated in NVD database
- 2026-06-17 - Oracle published advisory in the June 2026 Critical Security Patch Update (Oracle Security Alert)
Technical Details for CVE-2026-35292
Vulnerability Analysis
The vulnerability resides in the WebLogic Server administrative Console component. Oracle classifies it as easily exploitable, requiring no privileges and no user interaction. The attacker reaches the Console over HTTP and bypasses authentication to gain control of the server process.
Because the CVSS vector specifies a scope change, exploitation does not stay confined to WebLogic Server. Adjacent components and applications that share the trust boundary with WebLogic, such as Fusion Middleware integrations and downstream Java EE applications, can be impacted. Confidentiality, integrity, and availability are all fully compromised on successful attack.
No verified proof-of-concept exploit code is currently public, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Historically, WebLogic Console flaws are weaponized rapidly after disclosure, and operators should treat this issue as time-critical.
Root Cause
The root cause is classified under [CWE-306] Missing Authentication for Critical Function. The Console exposes functionality that should require authenticated administrative privileges but accepts requests from unauthenticated network clients. Oracle has not disclosed the precise code path; refer to the Oracle Security Alert for vendor detail.
Attack Vector
The attack vector is network-based over HTTP or HTTPS to the WebLogic administrative Console port, typically 7001 or 7002. The attacker sends a crafted HTTP request to a Console endpoint. With no credentials required, the request triggers privileged behavior in the Console, leading to remote code execution as the WebLogic process account.
A detailed technical description and verified exploitation code are not currently available. See the Oracle Security Alert for vendor guidance.
Detection Methods for CVE-2026-35292
Indicators of Compromise
- Unauthenticated HTTP requests to WebLogic Console paths such as /console/* or /em/* from external sources
- New or unexpected WebLogic deployments, MBeans, or scheduled work managers introduced without change-control records
- Child processes spawned by the WebLogic JVM such as cmd.exe, powershell.exe, /bin/sh, or bash running scripted payloads
- Outbound network connections from WebLogic hosts to unfamiliar IP addresses, especially shortly after suspicious Console traffic
Detection Strategies
- Inspect WebLogic access.log and AdminServer.log for anomalous POST or GET requests to Console URIs preceding administrative operations
- Alert on process-lineage anomalies where java running WebLogic spawns shells, scripting engines, or download utilities
- Correlate Console access events with subsequent file writes inside WebLogic domain directories such as domains/<domain>/servers/AdminServer/tmp
Monitoring Recommendations
- Forward WebLogic application logs, host process telemetry, and network flow data into a centralized analytics platform for correlation
- Monitor administrative Console ports for traffic originating outside approved management subnets
- Baseline normal Console activity and alert on deviations in request volume, source IPs, and accessed endpoints
How to Mitigate CVE-2026-35292
Immediate Actions Required
- Apply the Oracle June 2026 Critical Patch Update to all WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 instances
- Restrict access to the WebLogic administrative Console to dedicated management networks using firewall or reverse-proxy rules
- Audit WebLogic domains for unauthorized deployments, scheduled jobs, and modified configuration files
- Rotate credentials, keystores, and any secrets stored within or accessible to affected WebLogic instances
Patch Information
Oracle addressed CVE-2026-35292 in the June 2026 Critical Patch Update. Patch downloads and version-specific guidance are available in the Oracle Security Alert. Administrators should verify post-patch versions and review Oracle's recommended post-installation steps.
Workarounds
- Block external access to Console URIs at the perimeter and at any fronting load balancer or web application firewall
- Disable the administrative Console in production where it is not operationally required by setting the WebLogic domain configuration option that removes the Console application
- Place WebLogic admin servers behind a VPN or jump host so that only authenticated operators can reach management ports
# Example: restrict WebLogic Console port 7001 to a management subnet using iptables
iptables -A INPUT -p tcp --dport 7001 -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7001 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
