External risk intelligence

Oracle WebLogic Server Remote Takeover Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-35263

A critical vulnerability in Oracle WebLogic Server, accessible via HTTP, could allow a low-privileged attacker to gain complete control of the server and potentially impact other connected products. This issue requires attention from teams managing the application and its infrastructure to identify instances, assess ex

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

Oracle WebLogic Server is a middleware product frequently deployed as a public-facing application server, API gateway, or web application platform. Because it is designed to handle HTTP traffic and is commonly exposed to network environments to facilitate web services, it carries a high likelihood of being reachable from the internet in standard enterprise deployments.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects Oracle WebLogic Server, a product used for managing web applications and services. The issue could allow an attacker to gain complete control of the server, potentially impacting other connected products. While the full business impact is under analysis, the critical severity suggests a high potential for disruption.

  • A critical flaw allows attackers server control.
  • WebLogic Server is a common enterprise application platform.
  • Confirm relevance and exposure in your environment.

Attack Path

How an attacker could exploit the issue

An attacker with low privileges could potentially gain control of a WebLogic Server by sending malicious requests over HTTP. This vulnerability resides in the Core component of Oracle WebLogic Server and, although easily exploitable, could lead to significant impact on other connected products.

  • Network access required.
  • Low-privileged attacker triggers vulnerability.
  • Full server takeover possible.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow a low-privileged attacker with network access to gain complete control of the WebLogic Server. This compromise could extend to other products integrated with the server, impacting confidentiality, integrity, and availability.

  • WebLogic Server access and data.
  • Via network, with low privileges.
  • Complete takeover of the server.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Oracle WebLogic Server, accessible via HTTP, requires immediate attention from teams managing the application and its underlying infrastructure. The first step is to locate all instances of WebLogic Server, determine their network exposure and business criticality, identify the accountable owner, and then prioritize remediation based on the assessed risk.

  • Application and infrastructure teams own this.
  • Verify all WebLogic Server instances.
  • Plan targeted remediation based on risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35263 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability in Oracle WebLogic Server allows a low-privileged attacker with network access to take over the server, posing a significant risk to PCI compliance.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle WebLogic Server?

Oracle WebLogic Server is a middleware platform used to build, deploy, and run enterprise web applications and services. It acts as the foundation for handling HTTP traffic, managing back-end application logic, and integrating various data sources. Because it manages complex interactions between users and business data, it is a frequent target for those looking to compromise web-based infrastructure.

What does CWE-284 mean for CVE-2026-35263?

This CVE falls under CWE-284, which refers to improper access control. In simple terms, the server fails to properly check if a user has permission to perform certain actions. Because of this flaw in the Core component, an attacker can bypass security restrictions to interact with or manipulate the server in ways they should not be allowed to, ultimately leading to a full system takeover.

How is this WebLogic Server vulnerability triggered?

The vulnerability is triggered when an attacker with low-level network access sends a specifically crafted HTTP request to the affected server. It is important to note that this flaw requires the attacker to have at least minimal network connectivity to the component; internal processes or services that do not accept network-based HTTP traffic from unauthorized users are not direct targets for this trigger path.

Do I need to worry if my server is internal?

Yes, you should still evaluate the risk. According to Halo Surface Signal, WebLogic Server is frequently used as a gateway or web platform, making it a high-likelihood candidate for internet exposure. Even if a specific instance is currently internal, an attacker who gains a foothold elsewhere in your network could use that internal access to target the server, meaning it is not just a concern for public-facing assets.

When should I begin responding to this vulnerability?

You should begin immediate assessment of your environment. Start by identifying every instance of WebLogic Server within your infrastructure and mapping their network connectivity. Once you have a full inventory, prioritize these assets based on their business importance and reachability. Collaborate with the infrastructure teams responsible for these systems to ensure a prompt and organized remediation plan is executed.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished