Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35301

CVE-2026-35301: Oracle WebLogic Server RCE Vulnerability

CVE-2026-35301 is a critical RCE vulnerability in Oracle WebLogic Server Console affecting versions 12.2.1.4.0 and 14.1.1.0.0. Unauthenticated attackers can gain complete system takeover. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-35301 Overview

CVE-2026-35301 is a critical authentication bypass vulnerability in the Console component of Oracle WebLogic Server, part of Oracle Fusion Middleware. The flaw affects supported versions 12.2.1.4.0 and 14.1.1.0.0. An unauthenticated attacker with network access via HTTP can compromise the server with low complexity and no user interaction. Successful exploitation results in complete takeover of the WebLogic Server instance. The vulnerability also carries a scope change, meaning attacks can impact resources beyond WebLogic Server itself. The weakness maps to [CWE-306]: Missing Authentication for a Critical Function.

Critical Impact

Unauthenticated remote attackers can achieve full takeover of Oracle WebLogic Server with confidentiality, integrity, and availability fully compromised, and the scope extends to additional connected products.

Affected Products

  • Oracle WebLogic Server 12.2.1.4.0
  • Oracle WebLogic Server 14.1.1.0.0
  • Oracle Fusion Middleware deployments using the WebLogic Console component

Discovery Timeline

  • 2026-06-17 - CVE-2026-35301 published to the National Vulnerability Database
  • 2026-06-18 - Last updated in NVD database
  • 2026-06 - Oracle published security alert cspujun2026 covering this issue

Technical Details for CVE-2026-35301

Vulnerability Analysis

The vulnerability resides in the Console component of Oracle WebLogic Server. The Console is the administrative web interface for managing WebLogic domains, deployments, and configuration. The flaw allows an unauthenticated remote attacker to reach functionality that should require administrative credentials.

Because the vulnerability carries a scope change, exploitation can affect components outside the vulnerable WebLogic instance. WebLogic frequently hosts business-critical Java applications, integrates with databases, and serves as a backbone for Oracle Fusion Middleware. A successful takeover provides a pivot point into the broader enterprise application stack.

The attack vector is the network, complexity is low, and no privileges or user interaction are required. These attributes make CVE-2026-35301 suitable for opportunistic mass exploitation by internet-facing scanners. Oracle WebLogic Console flaws have historically been targeted by ransomware operators and cryptominers within days of disclosure.

Root Cause

The underlying weakness is classified as Missing Authentication for a Critical Function [CWE-306]. The Console exposes administrative functionality reachable over HTTP without enforcing authentication on the affected code paths. Oracle has not published deep technical details beyond the security alert, and no public proof-of-concept exploit is currently available.

Attack Vector

Exploitation requires only HTTP network reachability to the WebLogic Console endpoint, typically exposed on ports 7001 or 7002. An attacker sends a crafted request to the vulnerable Console handler to bypass authentication and invoke privileged operations. The result is arbitrary command execution under the WebLogic process account, leading to host compromise and lateral movement.

No verified public exploit code is available at this time. Refer to the Oracle Security Alert for vendor-supplied technical details.

Detection Methods for CVE-2026-35301

Indicators of Compromise

  • Unauthenticated HTTP or HTTPS requests to /console/, /console/css/, or /console/images/ paths followed by administrative actions
  • New or unexpected WebLogic deployments, WAR files, or JSP files appearing in the domain servers/<server>/tmp/ or autodeploy/ directories
  • Child processes spawned from java WebLogic processes invoking cmd.exe, powershell.exe, /bin/sh, or curl
  • Outbound connections from WebLogic hosts to unknown IPs immediately following Console access

Detection Strategies

  • Monitor WebLogic access.log for HTTP requests to Console URIs from unauthenticated sessions or unexpected source IPs
  • Alert on JVM processes spawning shells or scripting interpreters, a strong indicator of Java application server compromise
  • Inspect WebLogic AdminServer.log and domain.log for unexpected MBean operations, deployments, or configuration changes
  • Apply network signatures from your IDS/IPS vendor that target WebLogic Console authentication bypass patterns

Monitoring Recommendations

  • Forward WebLogic access, server, and audit logs to a centralized SIEM with retention sufficient for retrospective hunting
  • Baseline normal Console access patterns and alert on deviations such as off-hours administrative requests
  • Track outbound network connections from middleware tiers, which should rarely initiate egress to arbitrary internet hosts
  • Run periodic external attack surface scans to identify any WebLogic Console interfaces unintentionally exposed to the internet

How to Mitigate CVE-2026-35301

Immediate Actions Required

  • Apply the Oracle Critical Patch Update referenced in the Oracle Security Alert to all WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 instances
  • Remove or restrict internet exposure of the WebLogic Console; the Console should never be reachable from untrusted networks
  • Inventory all Oracle Fusion Middleware deployments to confirm patch coverage, including embedded WebLogic instances inside other Oracle products
  • Review logs for prior unauthenticated Console access to determine whether exploitation has already occurred

Patch Information

Oracle addressed CVE-2026-35301 in the June 2026 Critical Patch Update. Administrators should download and apply the patches listed in the Oracle Security Alert cspujun2026 for each affected WebLogic Server version. Patching requires a domain restart and should be scheduled with change control. After patching, verify the applied patch level using OPatch lsinventory.

Workarounds

  • Block external access to WebLogic Console ports (7001, 7002, or custom admin ports) at the perimeter firewall and reverse proxy
  • Restrict Console access to a dedicated management VLAN reachable only via VPN or bastion host
  • Disable the Console in production domains where it is not required using the WebLogic Administration Console setting Console Enabled = false
  • Place a Web Application Firewall in front of WebLogic with rules limiting /console/ access to known administrative source IPs
bash
# Example: disable WebLogic Console via WLST
connect('weblogic', 'password', 't3://adminhost:7001')
edit()
startEdit()
cd('/')
cmo.setConsoleEnabled(false)
save()
activate()
disconnect()
exit()

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne