Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35300

CVE-2026-35300: Oracle WebLogic Server RCE Vulnerability

CVE-2026-35300 is a critical remote code execution vulnerability in Oracle WebLogic Server that allows unauthenticated attackers to take over the server. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-35300 Overview

CVE-2026-35300 is a critical unauthenticated remote code execution vulnerability in the Core component of Oracle WebLogic Server, part of Oracle Fusion Middleware. The flaw allows attackers with network access via TCP to compromise WebLogic Server without authentication or user interaction. Successful exploitation results in full takeover of the affected server, including confidentiality, integrity, and availability impact. Oracle disclosed the issue in the June 2026 Critical Patch Update. The vulnerability is categorized under [CWE-502] Deserialization of Untrusted Data, a recurring weakness class in WebLogic that has produced multiple weaponized exploits over the past decade.

Critical Impact

An unauthenticated remote attacker can achieve full takeover of Oracle WebLogic Server over the network with low attack complexity, leading to complete compromise of hosted applications and data.

Affected Products

  • Oracle WebLogic Server 12.2.1.4.0
  • Oracle WebLogic Server 14.1.1.0.0
  • Oracle WebLogic Server 14.1.2.0.0
  • Oracle WebLogic Server 15.1.1.0.0

Discovery Timeline

  • 2026-06-17 - CVE-2026-35300 published to NVD
  • 2026-06-18 - Last updated in NVD database
  • June 2026 - Oracle releases security patch via Critical Patch Update

Technical Details for CVE-2026-35300

Vulnerability Analysis

The vulnerability resides in the Core component of Oracle WebLogic Server. It allows an unauthenticated attacker with TCP network access to compromise the server and obtain full control. Oracle classifies the issue as easily exploitable, and the impact extends to confidentiality, integrity, and availability of the host application server.

The weakness type [CWE-502] indicates insecure deserialization of attacker-controlled data. WebLogic exposes several protocols, including T3, T3S, IIOP, and IIOPS, that historically process serialized Java objects. When the server deserializes untrusted input without proper class filtering, a crafted object graph can trigger gadget chains that execute arbitrary code in the WebLogic Java process.

Because WebLogic typically runs with elevated privileges and hosts critical enterprise applications, takeover provides access to backend databases, integration endpoints, and lateral movement opportunities within the enterprise network.

Root Cause

The root cause is unsafe Java object deserialization in the WebLogic Core component. The affected code path accepts serialized data from network clients and reconstructs objects without sufficient allowlist controls on the resolved classes. Gadget chains present in WebLogic's classpath can then be chained to execute commands during object resolution.

Attack Vector

An attacker sends a crafted serialized payload to a network port exposed by WebLogic, commonly the T3 or IIOP listener on the AdminServer or managed server. No credentials and no user interaction are required. Internet-exposed WebLogic instances are at the highest risk, but internal attackers reaching the management port can also exploit the issue.

The vulnerability mechanism follows the established WebLogic deserialization pattern. Public verified proof-of-concept code is not available at publication, and the EPSS forecast reflects a moderate near-term exploitation probability. See the Oracle Security Alert for vendor technical details.

Detection Methods for CVE-2026-35300

Indicators of Compromise

  • Unexpected outbound connections originating from the WebLogic Java process (java.exe or java) following inbound traffic on T3 (7001), T3S (7002), or IIOP ports.
  • Creation of new .jsp or .war files under WebLogic deployment directories such as servers/AdminServer/tmp/_WL_internal/ outside of normal deployment activity.
  • Spawning of shell processes (cmd.exe, /bin/sh, bash, powershell.exe) as child processes of the WebLogic server JVM.
  • Anomalous serialized object payloads in network captures containing markers such as aced0005 or known gadget class names like oracle.jdbc.rowset or com.tangosol.

Detection Strategies

  • Inspect WebLogic access and server logs for malformed T3 or IIOP handshakes and unusual weblogic.rjvm traffic patterns.
  • Apply network IDS signatures targeting WebLogic deserialization gadget chains and Java serialization magic bytes on non-standard ports.
  • Correlate child process creation under the WebLogic JVM with inbound network activity using endpoint detection and response telemetry.

Monitoring Recommendations

  • Continuously monitor exposure of WebLogic management ports (7001, 7002) to untrusted networks and alert on new external exposure.
  • Enable WebLogic auditing and forward server logs to a centralized SIEM for behavioral analysis and long-term retention.
  • Track file integrity on WebLogic deployment, tmp, and cache directories to detect unauthorized webshell deployment.

How to Mitigate CVE-2026-35300

Immediate Actions Required

  • Apply the Oracle June 2026 Critical Patch Update to all WebLogic Server instances running versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0.
  • Restrict network access to T3, T3S, IIOP, and IIOPS ports so they are reachable only from trusted management networks.
  • Inventory all WebLogic deployments, including embedded instances in Oracle Fusion Middleware products, to confirm patch coverage.
  • Audit WebLogic hosts for signs of prior exploitation, including unexpected JSP files, scheduled tasks, and new local accounts.

Patch Information

Oracle published the fix as part of the June 2026 Critical Patch Update. Administrators should follow the patch matrix in the Oracle Security Alert and apply the corresponding bundle patch for each affected WebLogic version. Patches must be applied to both AdminServer and all managed servers, followed by a full restart of the domain.

Workarounds

  • Configure the WebLogic connection filter weblogic.security.net.ConnectionFilterImpl to deny T3 and IIOP connections from untrusted source addresses.
  • Disable IIOP in the WebLogic console under Protocols > IIOP for managed servers that do not require it.
  • Place WebLogic behind a reverse proxy or web application firewall that terminates HTTP only and blocks direct T3 protocol traffic.
  • Treat workarounds as temporary; the Oracle Critical Patch Update is the only complete remediation.
bash
# Example WebLogic connection filter rules to restrict T3/IIOP access
# Set in WebLogic console: Domain > Security > Filter
# Connection Filter: weblogic.security.net.ConnectionFilterImpl
# Connection Filter Rules:
10.0.0.0/8 * * allow t3 t3s iiop iiops
* * * deny t3 t3s iiop iiops

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne