Description
Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the WebLogic Server Console permits an unauthenticated attacker with network access via HTTP to take control of WebLogic Server. Successful exploitation bypasses authentication, providing the attacker with full read, write, and execute authority on the server, thereby compromising confidentiality, integrity and availability. The impact extends beyond the WebLogic Server itself, potentially affecting additional Oracle Fusion Middleware components due to the scope change indicated by the CVSS vector.

Affected Systems

Oracle Corporation WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0 are affected. These render the console accessible to unauthenticated users over HTTP, exposing the system to remote compromise.

Risk and Exploitability

The CVSS v3.1 score of 10.0 reflects a critical severity, while the EPSS score of less than 1% indicates a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers require only unauthenticated network access over HTTP; no additional privileges or user interaction are needed. The scope change in the CVSS vector suggests that exploitation can affect other products in the same environment.

Generated by OpenCVE AI on June 18, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle WebLogic Server security patch listed in the Oracle security alert for versions 12.2.1.4.0 and 14.1.1.0.0
  • Restrict or block HTTP access to the WebLogic Server console from public or untrusted networks using firewall rules or network segmentation
  • Implement monitoring and alerting for unexpected console access attempts to detect potential exploitation attempts

Generated by OpenCVE AI on June 18, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution via WebLogic Server Console
Weaknesses CWE-284
CWE-285

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution via WebLogic Server Console
Weaknesses CWE-284
CWE-285
CWE-306
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle weblogic Server
CPEs cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle weblogic Server
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Weblogic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:57:36.101Z

Reserved: 2026-04-01T20:03:40.836Z

Link: CVE-2026-35301

cve-icon Vulnrichment

Updated: 2026-06-17T13:08:16.225Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T23:30:16Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function