External risk intelligence

Oracle WebLogic Server Console Takeover Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-35301

A critical vulnerability exists in Oracle WebLogic Server's Console component that allows unauthenticated network attackers to compromise the server. This could lead to a complete takeover, impacting other connected products.

Missing Authentication

Halo Surface Signal

Very likely · external exposure

5Halo Surface Signal

This vulnerability affects the Oracle WebLogic Server Console, which is a network-accessible administrative interface. It is reachable via HTTP by unauthenticated users, placing it in the category of public-facing or externally reachable management surfaces that are commonly exposed to the internet in many deployment scenarios.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle's WebLogic Server Console, a component of Oracle Fusion Middleware. This issue is easily exploitable by unauthenticated attackers over the network and could lead to a complete takeover of the server, potentially impacting other connected products.

Unauthenticated attackers can take over WebLogic Servers.
Critical systems could be compromised without warning.
Confirm if WebLogic Servers are in use.

Attack Path

How an attacker could exploit the issue

An attacker could potentially compromise an unauthenticated WebLogic Server by leveraging a vulnerability within its Console component. This could allow them to gain complete control over the server, potentially impacting other connected products.

Network access required.
Console component is targeted.
Server takeover is possible.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker with network access to completely take over the WebLogic Server, potentially impacting other connected products.

WebLogic Server
Network access via HTTP
Full server takeover

Operational Fix

Recommended remediation, mitigation, and detection steps

Attackers with network access can exploit this vulnerability in the WebLogic Server Console to take over the server, potentially impacting other products. The first step is to identify all instances of WebLogic Server, determine their exposure and criticality, confirm ownership, and then plan remediation based on risk.

Application or infrastructure teams should own.
Verify network reachability and asset criticality.
Plan remediation during a maintenance window.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35301 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability in Oracle WebLogic Server allows unauthenticated attackers to compromise the server, which would likely cause a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle WebLogic Server?

Oracle WebLogic Server is a Java-based application server used by enterprises to build, deploy, and manage complex, multi-tier applications. The Console component specifically acts as a web-based administrative interface for monitoring and configuring the server environment. It functions as the central management hub for these deployments.

What does CVE-2026-35301 mean for security?

This vulnerability is classified as CWE-306, which refers to a failure to perform critical function authentication. In plain terms, the WebLogic Server Console allows actions to be performed without verifying who is making the request. This missing check lets an attacker bypass security controls to potentially gain full control of the application server.

How can an attacker trigger this vulnerability?

An attacker needs network access to the target system via HTTP to interact with the WebLogic Server Console. They do not need a pre-existing account or login credentials to initiate the attack. Crucially, this vulnerability is not triggered by user interaction, such as clicking a link or opening a file; it is a direct interaction with the server's network-facing services.

Is my organization at risk from CVE-2026-35301?

According to Halo Surface Signal, this vulnerability is very likely to pose a risk because the affected Console interface is often accessible over a network. If your WebLogic Server is configured to be reachable via the internet, it is at higher risk. Even internal deployments may be vulnerable if they are reachable by unauthorized users within your broader network environment.

What should I do first to address this issue?

Your first step is to create an inventory of all WebLogic Server instances within your environment. Once you have identified these systems, assess whether they are reachable over the network and determine the business criticality of each. Use this information to coordinate with your infrastructure teams to prioritize and plan remediation during your next scheduled maintenance window.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.