On January 20, 2026, Oracle patched a maximum‑severity vulnerability in its Fusion Middleware suite affecting Oracle HTTP Server and the WebLogic Server Proxy Plug‑in, tracked as CVE‑2026‑21962. An unauthenticated remote threat actor can exploit this flaw to gain unauthorized creation, deletion, or modification access to critical data. The issue stems from improper handling of incoming requests by the WebLogic Server Proxy Plug‑ins for Apache HTTP Server and Microsoft IIS.
While Arctic Wolf has not observed exploitation of CVE‑2026‑21962 or identified a publicly available proof‑of‑concept exploit, threat actors may target this vulnerability in the future due to the ease of exploitation over the internet and the level of access it could provide. In late 2025, threat actors exploited a zero‑day vulnerability in another product in the Fusion Middleware umbrella, Oracle E‑Business Suite, using it to conduct a large‑scale data theft and extortion campaign by the Cl0p ransomware group.
Recommendation for CVE-2026-21962
Apply Patches
Arctic Wolf strongly recommends that customers apply the patches.
| Product | Component | Affected Version | Patch |
| Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in | Weblogic Server Proxy Plug-in for Apache HTTP Server |
|
Patch availability document (login required) |
| Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in | Weblogic Server Proxy Plug-in for IIS |
|
Patch availability document (login required) |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
