Description
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Console component of Oracle WebLogic Server and allows an unauthenticated attacker who can reach the server over HTTP to compromise the entire application. The flaw is easily exploitable and can lead to a full takeover, giving the attacker full control over confidentiality, integrity, and availability of the system.

Affected Systems

Oracle Corporation's WebLogic Server products are affected. The specific versions impacted are 14.1.2.0.0 and 15.1.1.0.0. Users running these releases should verify whether the WebLogic Console is publicly exposed, as that is the entry point for the exploit.

Risk and Exploitability

The CVSS 3.1 base score of 10.0 reflects a trivial attack complexity, no authentication, no user interaction, and a complete scope change. The EPSS score is below 1%, indicating that the probability of exploitation remains very low, but the potential impact is catastrophic. The vulnerability is not currently listed in the CISA KEV catalog. Because the flaw operates over a network-facing HTTP interface and requires no credentials, it is likely the most straightforward attack path for an adversary. Successful exploitation can result in arbitrary code execution and takeover of the targeted WebLogic Server.

Generated by OpenCVE AI on June 18, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent Oracle WebLogic Server patch that addresses the console vulnerability for the affected versions 14.1.2.0.0 and 15.1.1.0.0.
  • If a patch is not immediately available, restrict HTTP access to the WebLogic Console to trusted network segments, or disable the console entirely via configuration.
  • Configure firewalls or reverse proxies to block or rate‑limit incoming HTTP traffic to the WebLogic Server, and follow hardening practices such as disabling default accounts and enforcing secure authentication.

Generated by OpenCVE AI on June 18, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Takeover via WebLogic Server Console
Weaknesses CWE-20
CWE-284

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Takeover via WebLogic Server Console
Weaknesses CWE-20
CWE-284
CWE-306
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle weblogic Server
CPEs cpe:2.3:a:oracle:weblogic_server:14.1.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:15.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle weblogic Server
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Weblogic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:57:17.430Z

Reserved: 2026-04-01T20:03:40.836Z

Link: CVE-2026-35292

cve-icon Vulnrichment

Updated: 2026-06-17T13:23:00.499Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T23:30:16Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function