External risk intelligence

Oracle WebLogic Server Unauthenticated Network Takeover Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-35300

A critical vulnerability in Oracle WebLogic Server's Core component allows unauthenticated attackers with network access to completely compromise the server, impacting confidentiality, integrity, and availability. This issue is easily exploitable, and successful attacks can lead to a full takeover of the server. You sh

Deserialization

Halo Surface Signal

Very likely · external exposure

5Halo Surface Signal

Oracle WebLogic Server is a middleware platform frequently deployed as an internet-facing application server or gateway to host web applications and APIs. Because it is designed to accept unauthenticated network requests to provide these services, it is highly likely to be reachable from the public internet in common deployment patterns.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle WebLogic Server, a product used for managing web applications and services. This issue is easily exploitable by attackers without authentication, potentially allowing them to take full control of the affected server, impacting confidentiality, integrity, and availability. The primary concern at this time is to determine if your organization utilizes this technology.

  • Unauthenticated attackers can gain full control of servers.
  • Impacts confidentiality, integrity, and availability of systems.
  • Confirm relevance and exposure to Oracle WebLogic Server.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker with network access could exploit a vulnerability in Oracle WebLogic Server's Core component, potentially leading to complete control of the server.

  • Network access required.
  • Exploits Core component.
  • Full server takeover risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could impact the confidentiality, integrity, and availability of WebLogic Server, potentially leading to a complete takeover of the server. This could occur when an unauthenticated attacker with network access exploits the easily exploitable flaw.

  • WebLogic Server control.
  • Network-based compromise.
  • Server takeover.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world action for this vulnerability likely falls to platform or application owners responsible for Oracle WebLogic Server deployments. The initial practical step is to discover all instances of the affected technology, assess their exposure and business criticality, and identify the accountable team. Subsequently, a risk-based remediation plan can be developed, potentially involving vendor coordination or controlled maintenance windows.

  • Platform or application owners should lead.
  • Verify external reachability and business criticality first.
  • Plan remediation based on assessed risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35300 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Oracle WebLogic Server allows an unauthenticated attacker to compromise the server, which could lead to a PCI scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle WebLogic Server?

Oracle WebLogic Server is a middleware platform within the Oracle Fusion Middleware family. It acts as an application server that hosts web applications and APIs, managing the communication between end-user clients and back-end databases or business logic. Organizations commonly use it to run high-traffic Java enterprise applications, making it a critical component of their digital infrastructure.

What does CWE-502 mean for CVE-2026-35300?

CWE-502 refers to Deserialization of Untrusted Data. This vulnerability occurs when the application takes data from an untrusted source—like a network request—and reconstructs it into an object without sufficient validation. Because the software trusts this input, an attacker can manipulate the process to execute unauthorized commands, eventually gaining full control over the WebLogic Server.

How does an attacker trigger this vulnerability?

The flaw is triggered when an attacker sends a malicious, unauthenticated request over a network using TCP. The vulnerability resides in the Core component of the software. It is important to note that the attack does not require valid login credentials or prior access to the system; simply having network reachability to the server is sufficient to initiate the exploitation process.

Why is Halo Surface Signal labeling this CVE as external?

Halo Surface Signal identifies this as external because WebLogic Server is frequently deployed as an internet-facing gateway or application server. By design, these servers must accept unauthenticated network requests to function. This architectural necessity means that, in many common configurations, the server is directly reachable from the public internet, significantly increasing the potential attack surface.

How should I respond if I use WebLogic Server?

Begin by identifying all running instances of the affected versions (12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0) within your environment. Once identified, evaluate the business criticality and network exposure of each server. Coordinate with the relevant platform or application owners to prioritize these systems for maintenance, ensuring a risk-based approach is used to manage the transition to a patched state.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished