CVE-2026-35299: Oracle WebLogic Server RCE Vulnerability

CVE-2026-35299 Overview

CVE-2026-35299 is a high-severity vulnerability in the Console component of Oracle WebLogic Server, part of Oracle Fusion Middleware. The flaw affects supported versions 12.2.1.4.0 and 14.1.1.0.0. A low-privileged attacker with network access via HTTP can exploit the issue to compromise WebLogic Server. Successful exploitation results in full takeover of the server, impacting confidentiality, integrity, and availability. The weakness is classified under CWE-306: Missing Authentication for Critical Function. Oracle published the fix as part of the June 2026 Critical Patch Update.

Critical Impact
Authenticated attackers with minimal privileges can take over Oracle WebLogic Server over the network with low attack complexity and no user interaction.

Affected Products

Oracle WebLogic Server 12.2.1.4.0
Oracle WebLogic Server 14.1.1.0.0
Oracle Fusion Middleware deployments using the WebLogic Console component

Discovery Timeline

2026-06-17 - CVE-2026-35299 published to the National Vulnerability Database (NVD)
2026-06-18 - NVD record last modified
2026-06-18 - EPSS probability recorded
Oracle published guidance in the June 2026 Critical Patch Update

Technical Details for CVE-2026-35299

Vulnerability Analysis

The vulnerability resides in the WebLogic Server Console, the administrative web interface bundled with Oracle Fusion Middleware. According to Oracle's advisory, the flaw is easily exploitable and reachable over HTTP. An attacker who already holds a low-privileged account on the server can issue crafted requests against the Console to escalate access and take control of the WebLogic instance.

WebLogic Server hosts Java Enterprise applications and frequently runs with elevated service privileges. A successful compromise gives the attacker full control of deployed applications, configuration, JNDI bindings, and any data accessible to the application server. The scope is unchanged, meaning impact remains confined to the WebLogic security authority, but that authority typically includes credentials, datasource connections, and backend integrations.

Root Cause

The weakness is mapped to CWE-306 (Missing Authentication for Critical Function). The Console exposes administrative or sensitive functionality that does not enforce a complete authentication or authorization check before processing a request. A user with low privileges reaches functions intended only for administrators, breaking the privilege boundary.

Attack Vector

Exploitation proceeds over HTTP against the Console endpoint, typically /console on the WebLogic management port. The attacker authenticates with a low-privileged WebLogic account, then sends requests to Console handlers that omit privilege checks. Because no user interaction is required and attack complexity is low, exposed Consoles facing internal networks or, worse, the internet are at immediate risk.

No public proof-of-concept code has been released, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog at the time of publication. The EPSS probability is approximately 0.389%.

Detection Methods for CVE-2026-35299

Indicators of Compromise

Unexpected HTTP requests to /console/* paths from low-privileged or service accounts
New or modified WebLogic deployments, datasources, or JNDI entries outside change windows
Creation of administrative users or role grants in the WebLogic security realm
Outbound connections from the WebLogic JVM process to unknown infrastructure following Console activity

Detection Strategies

Review WebLogic access.log and AdminServer.log for Console requests by accounts that should not perform administrative actions
Alert on Java process spawns of shells (cmd.exe, powershell.exe, /bin/sh) from the WebLogic Server JVM
Correlate authentication events with subsequent Console activity to identify privilege boundary violations
Hunt for serialized payload patterns or unusual Content-Type headers reaching Console endpoints

Monitoring Recommendations

Forward WebLogic access, audit, and domain logs to a centralized SIEM for retention and correlation
Baseline normal Console usage by source IP, account, and URI to surface anomalies
Monitor file integrity on $DOMAIN_HOME/config and deployment directories for unauthorized changes
Track egress from application server subnets to identify post-exploitation command and control

How to Mitigate CVE-2026-35299

Immediate Actions Required

Apply the June 2026 Oracle Critical Patch Update to all WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 instances
Restrict network access to the WebLogic Console to trusted management networks using firewall or reverse proxy rules
Audit WebLogic security realm accounts and remove unused low-privileged users that could be abused for exploitation
Rotate credentials for any datasources, keystores, or service accounts reachable from compromised hosts if exploitation is suspected

Patch Information

Oracle released fixes for CVE-2026-35299 in the June 2026 Critical Patch Update. Administrators should review the Oracle Security Alert advisory and apply the relevant patches for versions 12.2.1.4.0 and 14.1.1.0.0. Validate patch installation through the Oracle OPatch inventory after deployment.

Workarounds

Disable the WebLogic Console in production domains where administrative access is not required
Place the Console behind a VPN or zero-trust gateway and require strong authentication for access
Apply network ACLs to block external access to the WebLogic administration port (7001 by default)
Enforce least-privilege by removing global roles from non-administrative WebLogic users

bash

# Disable the WebLogic Console via WLST
connect('weblogic','password','t3://localhost:7001')
edit()
startEdit()
cmo.setConsoleEnabled(false)
save()
activate()
disconnect()
exit()