Back

CISA Alerts on Active Exploitation of Oracle WebLogic Vulnerability CVE-2024-21182

Severity: High (Score: 72.9)

Sources: nvd.nist.gov, Gbhackers, Heise.De, Bleepingcomputer

Published: 2026-06-02 · Updated: 2026-06-02

Keywords: oracle, weblogic, server, vulnerability, since, attackers, target

Severity indicators: vulnerability

Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of a high-severity vulnerability in Oracle WebLogic Server, tracked as CVE-2024-21182. This flaw, which has been known since July 2024, allows unauthenticated attackers to remotely compromise affected systems running versions 12.2.1.4.0 and 14.1.1.0.0. CISA has mandated federal agencies to patch their systems by June 4, 2026, and urged private sector organizations to do the same. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog, highlighting its critical nature. Internet intelligence platform Shodan reports over 1,592 vulnerable Oracle WebLogic servers exposed online. Successful exploitation can lead to unauthorized access to sensitive data. CISA's advisory follows a pattern of ongoing vulnerabilities in Oracle products, emphasizing the need for timely updates and security measures. Key Points: • CISA has flagged CVE-2024-21182 as actively exploited, urging immediate action. • Over 1,590 Oracle WebLogic servers are currently exposed and vulnerable to this flaw. • Federal agencies must patch their systems by June 4, 2026, to mitigate risks.

Detailed Analysis

**Impact** Organizations using Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0 are affected globally, with over 1,592 exposed vulnerable servers identified online. The vulnerability allows unauthorized access to critical data or complete control over Oracle WebLogic Server accessible data, impacting sectors relying on enterprise middleware. U.S. federal agencies are mandated to patch by June 4, 2026, reflecting the severity and operational risk to government infrastructure. **Technical Details** CVE-2024-21182 is an unauthenticated remote code execution vulnerability exploitable via Oracle WebLogic Server’s proprietary T3 and IIOP protocols. The attack vector requires only network access and no privileges, with a CVSS 3.1 base score of 7.5 (Confidentiality impact). The vulnerability affects the Oracle Fusion Middleware Core component and is actively exploited in the wild. No specific malware or IOCs have been publicly disclosed. **Recommended Response** Apply the July 2024 Oracle security patches for CVE-2024-21182 immediately, prioritizing versions 12.2.1.4.0 and 14.1.1.0.0. Follow CISA’s Binding Operational Directive 22-01 for federal systems and extend patching to private sector environments. Monitor network traffic for unauthorized access attempts via T3 and IIOP protocols and consider disabling or restricting these protocols if mitigation is not feasible. No detailed IOCs are currently available for detection.

Source articles (5)

  • CISA Issues Alert on Oracle WebLogic Server Flaw Under Active Exploitation — Gbhackers · 2026-06-02
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Oracle WebLogic Server vulnerability, tracked as CVE-2024-21182, to its Known Exploited Vulnerabilities (KEV) cata…
  • Attackers target Oracle WebLogic Server — Heise.De · 2026-06-02
    A vulnerability in Oracle's WebLogic Server is currently being exploited. The security flaw has been known since mid-2024, with updates available since the Critical Patch Update from July 2024 . The U…
  • Cve 2024 21182 — nvd.nist.gov · 2026-06-02
    Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability…
  • CISA flags two-year — Bleepingcomputer · 2026-06-02
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered government agencies to secure their systems against a high-severity Oracle WebLogic Server vulnerability that was patched t…
  • CVE-2024-21182 — nvd.nist.gov · 2026-06-02
    Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability…

Timeline

  • 2024-07-16 — CVE-2024-21182 published: Oracle released a patch for a critical vulnerability in WebLogic Server.
  • 2024-12-30 — First public PoC for CVE-2024-21182: A proof of concept for exploiting the WebLogic vulnerability was made public.
  • 2025-10-12 — CVE-2025-61884 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-03-20 — CVE-2026-21992 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-01 — CVE-2024-21182 added to CISA KEV catalog: CISA confirmed the active exploitation of the WebLogic vulnerability, urging immediate patching.
  • 2026-06-02 — CISA orders federal agencies to patch: CISA mandated that federal agencies secure their systems against CVE-2024-21182 by June 4, 2026.

CVEs

  • CVE-2024-21182
  • CVE-2025-61884
  • CVE-2026-21992

Related entities

  • Data Breach (Attack Type)
  • Zero-day Exploit (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • exploited.it (Domain)
  • german.it (Domain)
  • Government (Industry)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • Oracle Fusion Middleware (Platform)
  • Oracle Identity Manager (Platform)
  • Oracle WebLogic Server (Platform)
  • Oracle Web Services Manager (Platform)
  • Pan-os (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed