Skip to main content

Oracle WebLogic Server CVE-2026-35300

| EUVD-2026-37426 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-16 oracle
Oracle Weblogic Server Deserialization
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Oracle describes unauthenticated network TCP exploitation resulting in full server takeover, justifying AV:N/AC:L/PR:N/UI:N and C:H/I:H/A:H with unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:33 vuln.today

DescriptionCVE.org

Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise WebLogic Server. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle WebLogic Server (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0) is possible by unauthenticated attackers with TCP network access to the Core component. Oracle rates this 9.8 with full confidentiality, integrity, and availability impact, and characterizes it as 'easily exploitable,' though no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed WebLogic listener
Delivery
Send crafted TCP protocol message
Exploit
Trigger Core component flaw
Execution
Execute code as WebLogic user
Persist
Establish persistence on host
Impact
Pivot to internal application/database tier
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of Oracle WebLogic Server is possible whenever a vulnerable instance (12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0) is reachable over TCP on its listen ports. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals point to high real-world priority: CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N yields 9.8 with high impact on C/I/A, Oracle itself labels the issue 'easily exploitable,' and the affected component (Core) has a long history of mass-exploited bugs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans the internet for exposed WebLogic listen ports (commonly 7001/7002), sends a crafted protocol message - historically a malicious T3/IIOP serialized payload - to the Core component, and gains unauthenticated remote code execution as the WebLogic process user, leading to full server takeover and pivoting into the internal application and database tier. No public exploit identified at time of analysis, but Oracle's 'easily exploitable' wording suggests a working exploit will likely surface quickly given the prior history of WebLogic Core bugs.
Remediation Apply the patch available per vendor advisory in the Oracle Critical Patch Update for June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) to the exact affected branch - Oracle has not published a discrete fix version string in the input data, so administrators should consult the CPU matrix for the per-branch patch ID. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Conduct inventory of all Oracle WebLogic Server instances; document versions, network location, and connected systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-35292 CRITICAL
10.0 Jun 16

Unauthenticated remote takeover in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Console component) allows network a
CVE-2026-35301 CRITICAL
10.0 Jun 16

Remote takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is possible via the Console component, allowing an u
CVE-2026-35263 CRITICAL
9.9 Jun 16

Remote takeover of Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Fusion Middleware, Core component) is achievable by
CVE-2026-35298 CRITICAL
9.1 Jun 16

Authenticated takeover of Oracle WebLogic Server (Fusion Middleware Core component) is possible by a high-privileged att
CVE-2026-35299 HIGH
8.8 Jun 16

Authenticated takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is achievable through the administrative Cons

Share

CVE-2026-35300 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy