Latest Cybersecurity News

Oracle Releases Critical Patch for HTTP Server and WebLogic Server Proxy Plug-in Vulnerability

On January 22, 2026, Oracle issued security updates addressing CVE-2026-21962, a maximum-severity vulnerability in Oracle HTTP Server and WebLogic Server Proxy Plug-in, urging immediate patching to prevent unauthenticated remote compromise.

Technical Details of the Vulnerability

Oracle HTTP Server, a key component in web architectures, and the WebLogic Server Proxy Plug-in, which facilitates communication between Oracle WebLogic Server and external HTTP servers, contain a critical flaw designated CVE-2026-21962. This vulnerability carries a CVSS v3.1 base score of 10.0, indicating maximum severity due to its potential for remote exploitation without authentication. Attackers can leverage this flaw to fully compromise affected servers, potentially executing arbitrary code, stealing sensitive data, or pivoting to deeper network segments.

Exploitation Mechanics

The vulnerability stems from improper input validation in the proxy plug-in’s handling of HTTP requests forwarded to WebLogic Server instances. Specifically, malformed headers or payloads in proxied requests bypass security checks, allowing deserialization of untrusted data or buffer overflows that lead to remote code execution. In a typical deployment, where WebLogic clusters behind load balancers use this plug-in for traffic management, an attacker sends crafted requests over standard HTTPS ports, evading web application firewalls that do not inspect proxied traffic deeply.

Impact on Enterprise Environments

Organizations using Oracle Fusion Middleware, including financial services, government agencies, and large enterprises reliant on WebLogic for application servers, face heightened risk. Compromised proxy plug-ins enable persistent access, lateral movement via stolen credentials, and data exfiltration. Historical exploits of similar WebLogic flaws, such as CVE-2019-2725, demonstrate how attackers chain these with living-off-the-land techniques, using tools like PowerShell or native binaries for evasion.

Mitigation Strategies

Immediate application of Oracle’s January 2026 Critical Patch Update (CPU) is essential, upgrading to patched versions of Oracle HTTP Server 12.2.1.4.0 and WebLogic Server Proxy Plug-in. Network segmentation isolating proxy components, implementation of runtime application self-protection (RASP), and behavioral anomaly detection using endpoint detection and response (EDR) tools provide layered defenses. Organizations should scan for the vulnerability using tools like Nuclei or custom scripts targeting the affected endpoints, prioritizing internet-facing instances.

Broader Implications

This patch release underscores ongoing challenges in legacy middleware security, where complex proxy configurations amplify attack surfaces. As supply chain attacks evolve, enterprises must integrate automated patch management with continuous vulnerability scanning to counter zero-day risks in critical infrastructure components.

CISA and NSA Warn of Chinese BRICKSTORM Backdoor Targeting VMware and Windows Environments

CISA, NSA, and Canadian partners issued a joint advisory on sophisticated Chinese state-sponsored BRICKSTORM malware, which deploys stealthy backdoors in VMware vSphere and Windows systems for persistent espionage and data theft.

BRICKSTORM Malware Architecture

BRICKSTORM represents an advanced persistent threat (APT) implant engineered for long-term network habitation. It comprises modular components: a loader that injects shellcode into legitimate processes, an encrypted command-and-control (C2) module using domain generation algorithms (DGAs) for resilient communication, and a credential access toolkit harvesting LSASS memory dumps and Kerberos tickets. Targeting VMware vSphere—including vCenter and ESXi hypervisors—BRICKSTORM exploits virtualization layer weaknesses to escape guest VMs, achieving hypervisor-level persistence.

Infection Vectors and Evasion Techniques

Initial access occurs via spear-phishing with malicious VMware OVAs or compromised update servers, followed by privilege escalation using zero-day exploits in vSphere APIs. Once implanted, BRICKSTORM employs kernel-level rootkits to hook system calls, masquerading traffic as legitimate VMware management protocols over port 443. Encryption layers, including AES-256 with per-session keys rotated via elliptic curve Diffie-Hellman (ECDH), thwart signature-based detection, while anti-forensic measures overwrite artifacts in event logs and prefetch files.

Detection Indicators and Response Measures

Indicators of compromise (IOCs) include anomalous ESXi processes spawning svchost.exe, unusual outbound connections to Chinese infrastructure, and registry modifications under HKLM\SYSTEM\CurrentControlSet\Services\VMware. Detection rules in YARA and Sigma formats, coupled with EDR queries for process hollowing in vSphere services, aid identification. Mitigation involves applying VMware security patches (VMSA-2026-0001), enabling hypervisor introspection, and deploying network micro-segmentation to isolate vCenter traffic.

Geopolitical Context and Attribution

Attributed to PRC state actors, BRICKSTORM aligns with campaigns like Volt Typhoon, focusing on critical infrastructure for pre-positioning ahead of conflicts. Its cross-platform design—leveraging Windows WMI for lateral movement and VMware VIX APIs for VM manipulation—signals a maturing threat landscape where nation-states blend commercial virtualization exploits with custom tooling for undetectable operations.