CISA Warns of Active Exploitation of Oracle WebLogic Vulnerability CVE-2024-21182
Severity: High (Score: 72.9)
Sources: Gbhackers, nvd.nist.gov, Cybersecuritynews, Bleepingcomputer, Heise.De
Published: · Updated:
Keywords: oracle, weblogic, server, vulnerability, since, attackers, target
Severity indicators: vulnerability
Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of a two-year-old vulnerability in Oracle WebLogic Server, tracked as CVE-2024-21182. This flaw, which affects versions 12.2.1.4.0 and 14.1.1.0.0, allows unauthenticated attackers to remotely compromise servers using T3 and IIOP protocols. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog and mandated federal agencies to patch their systems by June 4, 2026. Currently, over 1,592 Oracle WebLogic servers are identified as exposed and vulnerable. Successful exploitation can lead to unauthorized access to critical data or complete control over the server. CISA has previously flagged numerous Oracle vulnerabilities, highlighting the ongoing risk posed by such flaws. Organizations are urged to apply patches immediately to mitigate potential attacks. Key Points: • CISA has ordered federal agencies to patch Oracle WebLogic Server by June 4, 2026. • The vulnerability CVE-2024-21182 allows unauthenticated remote access to critical data. • Over 1,592 Oracle WebLogic servers are currently exposed and vulnerable to exploitation.
Detailed Analysis
**Impact** Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0 are affected, with over 1,592 exposed and vulnerable servers identified globally. The vulnerability allows unauthorized access to critical or complete data on compromised servers, impacting enterprises using Oracle WebLogic as middleware in multi-tier distributed applications. Federal agencies in the U.S. are mandated to patch by June 4, 2026, with private sector organizations also at risk. The vulnerability poses significant risks to data confidentiality and operational integrity across sectors relying on Oracle WebLogic. **Technical Details** The vulnerability, CVE-2024-21182 (CVSS 7.5), is exploitable remotely by unauthenticated attackers via network access using Oracle’s proprietary T3 and IIOP protocols. It allows low-complexity attacks resulting in unauthorized access or full compromise of Oracle WebLogic Server data. The flaw affects the Core component of Oracle Fusion Middleware. No specific malware or tools have been publicly identified, and no indicators of compromise (IOCs) have been disclosed by CISA or Oracle. **Recommended Response** Apply the security patches released by Oracle in July 2024 immediately, prioritizing versions 12.2.1.4.0 and 14.1.1.0.0. Federal agencies must comply with CISA’s Binding Operational Directive 22-01 by June 4, 2026. Network defenders should restrict or monitor T3 and IIOP protocol traffic to Oracle WebLogic servers and validate system configurations against vendor guidance. In the absence of detailed IOCs, organizations should monitor for unusual network activity targeting Oracle WebLogic servers and ensure all middleware components are up to date.
Source articles (11)
- CISA Issues Alert on Oracle WebLogic Server Flaw Under Active Exploitation — Gbhackers · 2026-06-02
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Oracle WebLogic Server vulnerability, tracked as CVE-2024-21182, to its Known Exploited Vulnerabilities (KEV) cata… - Attackers target Oracle WebLogic Server — Heise.De · 2026-06-02
A vulnerability in Oracle's WebLogic Server is currently being exploited. The security flaw has been known since mid-2024, with updates available since the Critical Patch Update from July 2024 . The U… - Cve 2024 21182 — nvd.nist.gov · 2026-06-02
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability… - CISA flags two-year — Bleepingcomputer · 2026-06-02
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered government agencies to secure their systems against a high-severity Oracle WebLogic Server vulnerability that was patched t… - CISA flags two-year-old Oracle flaw as actively exploited in attacks — Bleepingcomputer · 2026-06-02
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered government agencies to secure their systems against a high-severity Oracle WebLogic Server vulnerability that was patched t… - CVE-2024-21182 — nvd.nist.gov · 2026-06-02
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability… - CISA Warns of Two-Year — Cybersecuritynews · 2026-06-02
CISA has issued a fresh warning highlighting active exploitation of a critical Oracle WebLogic Server vulnerability, tracked as CVE-2024-21182, adding it to its Known Exploited Vulnerabilities (KEV) c… - U.S. CISA adds Oracle WebLogic flaw to its Known Exploited Vulnerabilities catalog — Securityaffairs.Co · 2026-06-02
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Oracle WebLogic flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA)… - Oracle WebLogic CVE-2024 — Thehackernews · 2026-06-02
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw impacting Oracle WebLogic Server to its Known Exploited Vulnerabilities (KEV) Catalog, ba… - CISA orders agencies to patch critical Oracle WebLogic Server vulnerability — Scworld · 2026-06-02
Bleeping Computer reports that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive to government agencies mandating the immediate patching of Oracle WebLogic Server… - Two — Csoonline · 2026-06-02
US federal government departments have been given until Thursday to patch a two-year old high severity vulnerability in Oracle WebLogic Server that could allow an unauthenticated attacker to access cr…
Timeline
- 2024-07-16 — CVE-2024-21182 published: Oracle released patches for the WebLogic Server vulnerability affecting specific versions.
- 2024-12-30 — First public PoC for CVE-2024-21182: A proof of concept for exploiting the WebLogic vulnerability became publicly available.
- 2025-10-12 — CVE-2025-61884 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
- 2026-03-20 — CVE-2026-21992 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
- 2026-06-01 — CISA adds CVE-2024-21182 to KEV catalog: CISA confirmed active exploitation of the Oracle WebLogic vulnerability and added it to its Known Exploited Vulnerabilities catalog.
- 2026-06-02 — CISA issues urgent patch directive: CISA mandated federal agencies to patch their Oracle WebLogic systems by June 4, 2026, due to active exploitation.
CVEs
Related entities
- Data Breach (Attack Type)
- Zero-day Exploit (Attack Type)
- CWE-200 - Exposure of Sensitive Information (Cwe)
- CWE-287 - Improper Authentication (Cwe)
- Cwe-918 - Server-Side Request Forgery (ssrf) (Cwe)
- exploited.it (Domain)
- german.it (Domain)
- Government (Industry)
- T1190 - Exploit Public-Facing Application (Mitre Attack)
- Identity Manager (Platform)
- Kubernetes (Platform)
- Oracle E-business Suite (Platform)
- Oracle Fusion Middleware (Platform)
- Oracle Identity Manager (Platform)
- Oracle WebLogic (Platform)
- Oracle WebLogic Server (Platform)
- Oracle Web Services Manager (Platform)
- Palo Alto Networks Pan-os (Platform)
- Pan-os (Platform)
- Web Services Manager (Platform)
- Shodan (Tool)