Share
## https://sploitus.com/exploit?id=28798546-B5B4-5A1E-B153-9FC1A3E7CC48
# CVE-2026-21962-Oracle-HTTP-Server-WebLogic-Proxy-Plug-in-Critical-
Oracle Fusion Middleware Oracle HTTP Server / WebLogic Server Proxy Plug-in has an easily exploitable, unauthenticated, network-reachable flaw allowing compromise over HTTP. Affected supported versions include 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0.

CVSS 10.0 (per Oracle / NVD text) and remotely reachable over HTTP.

The check.py is used only for exposure checking and banner/version hinting only. 
First run requirements.txt -> check.py

For testing and research purposes, I have also included exploit.py it is meant to; 
1) Simulate the logic of the attack for analysis.
2) Safely probe your environment for indicators of compromise (IOCs) or misconfiguration.
3) Generate realistic payloads for your defensive sensor testing (WAF, IDS, custom detections).
4) Educate on the exact request structures.

Example output from exploit.py:

[ATTACKER PERSPECTIVE] - Theoretical Kill Chain
1.  RECON: Discovers an exposed Oracle HTTP Server (port 80/443).
2.  FINGERPRINT: Uses your `check.py` or similar to confirm version in AFFECTED_TRAINS.
3.  PROBE: Sends the ambiguous path request to locate `ProxyServlet`.
4.  EXPLOIT CRAFTING: Injects malicious `wl-proxy-client-ip` header with `;Base64` payload.
5.  REQUEST FORWARDING: The vulnerable plug-in improperly validates/parses the header.
6.  ACCESS: Gains unauthorized access to the backend WebLogic server's data and functions.
7.  PIVOT & PERSIST: Moves laterally within the Fusion Middleware environment.

[DEFENDER PERSPECTIVE] - IMMEDIATE ACTIONS (BEYOND PATCHING)[citation:6][citation:8]
*** PATCHING IS NON-NEGOTIABLE. APPLY ORACLE'S JANUARY 2026 CPU[citation:10]. ***