ATTACKERS rapidly weaponised the critical Oracle WebLogic RCE CVE-2026-21962 almost as soon as public exploit code appeared, according to a new honeypot-based analysis covering activity from 22 January to 3 February 2026. The CloudSEK study, published on 25 March, found the vulnerability has a CVSS score of 10.0 and that exploitation began on the same day the exploit was released.
The honeypot, designed to replicate a real Oracle WebLogic Server environment, recorded widespread automated scanning and exploitation attempts, with activity dominated by tools such as libredtail-http and the Nmap Scripting Engine. Researchers also observed ongoing exploitation attempts targeting older, still widely abused WebLogic flaws, including CVE-2020-14882/14883, CVE-2020-2551 and CVE-2017-10271.
The report recommends immediate patching and defensive controls, including restricting internet access to the administrative console, disabling unnecessary protocols and ports, deploying a web application firewall and monitoring logs for suspicious activity, according to CloudSEK.