How to patch Oracle WebLogic Server

Q: How do I check which version of Oracle WebLogic I am running?

Use: java weblogic.version —or— $ORACLE_HOME/OPatch/opatch lsinventory (Shell). Record the result before and after patching to confirm the update applied.

Oracle · Infrastructure · 5 steps · Oracle WebLogic security status → · updated June 2026

Oracle ships WebLogic security fixes in its quarterly Critical Patch Update (CPU). Apply the patch with OPatch against your exact version, and lock down the admin/T3 ports that WebLogic RCEs abuse.

actively exploited (KEV)

309

tracked CVEs

—

latest supported

Oracle WebLogic has 16 actively-exploited vulnerabilities on the CISA KEV list — patching is urgent.

Check your current version first

Before you patch, record what you're running (Shell):

java weblogic.version   —or—   $ORACLE_HOME/OPatch/opatch lsinventory

Or paste your version into the checker for an instant verdict.

Step by step

Identify version & applied patches

Run java weblogic.version and opatch lsinventory to record your version and which CPUs are already applied.

Get the CPU patch

Download the patch matching your WebLogic version from the current Oracle Critical Patch Update on My Oracle Support.

Stop the domain

Cleanly shut down the Admin Server and managed servers in the domain.

Apply with OPatch

Run $ORACLE_HOME/OPatch/opatch apply from the patch directory, following the patch README.

Restart and verify

Start the domain back up and confirm with opatch lsinventory that the patch registered.

Watch out for:

WebLogic deserialization / T3 / IIOP RCEs are heavily exploited — restrict the admin and T3 ports and apply CPUs on schedule.
Test the CPU in non-production first; some patches need post-install steps from the README.

Official sources

Advisory: Oracle Critical Patch Updates ↗
Download: My Oracle Support (MOS) ↗

Don't patch blind. Oracle WebLogic has 16 actively-exploited vulnerabilities on the CISA KEV list — patching is urgent. See exactly which versions are safe and what you're exposed to.

Oracle WebLogic security status →

Stay ahead of the next one

Oracle WebLogic security status & health score — score, open CVEs and safe version.
Oracle WebLogic vulnerabilities — the full CVE list and what's exploited.
Monitor Oracle WebLogic — get an email alert the moment a new exploited vulnerability lands.

Frequently asked questions

What is the latest version of Oracle WebLogic?

Check the current supported Oracle WebLogic release on its product page or the official vendor advisory, then patch to it.

How do I check which version of Oracle WebLogic I am running?

Use: java weblogic.version —or— $ORACLE_HOME/OPatch/opatch lsinventory (Shell). Record the result before and after patching to confirm the update applied.

Is Oracle WebLogic being actively exploited right now?

Yes — 16 Oracle WebLogic vulnerabilities are on the CISA Known Exploited Vulnerabilities (KEV) list, so attackers are using them in the wild. Patch promptly. See the exploitation radar.

How do I patch Oracle WebLogic safely without breaking production?

Always test in a non-production environment first, take a backup or snapshot, follow the official vendor advisory, and have a tested rollback. Patch one node at a time for clustered or high-availability setups.

Patch steps are general, well-established guidance for Oracle WebLogic — always test in a non-production environment first and follow the official Oracle advisory for your exact version. IsItPatched is independent and not affiliated with Oracle; this is not a substitute for vendor documentation. See our disclaimer.

← All patching guides · Security guides →