Oracle WebLogic CVE-2024-21182 Added to CISA KEV After Exploitation

by Emma Davis
2 days ago

CISA added Oracle WebLogic Server CVE-2024-21182 to KEV, giving exposed T3/IIOP deployments a short June 4 remediation window.

Oracle WebLogic Server CVE-2024-21182 has moved from an old patch item to an active-response priority after CISA added it to the Known Exploited Vulnerabilities catalog on June 1, 2026. The agency lists a June 4, 2026 remediation due date and says an unauthenticated attacker with network access through T3 or IIOP can compromise WebLogic Server and reach critical data or all data available to the affected server.[1]

Oracle fixed the issue in the July 2024 Critical Patch Update, but the KEV entry means defenders should no longer treat it as background maintenance. The affected component is WebLogic Server Core in Oracle Fusion Middleware, specifically supported versions 12.2.1.4.0 and 14.1.1.0.0. Oracle and NVD rate the bug CVSS 7.5: network exploitable, low complexity, no privileges required, no user interaction, and high confidentiality impact.[2][3]

Editorial comic about Oracle WebLogic CVE-2024-21182 and the June 4 CISA KEV deadline
When T3 and IIOP were supposed to be closed before the calendar noticed.

The important nuance is exposure. WebLogic is often placed behind load balancers, management networks, middleware tiers, and older enterprise application stacks where T3 or IIOP may still be reachable for internal integrations. If those paths are exposed to untrusted networks, the risk is much closer to an edge-service incident than a routine application-server patch.

What WebLogic admins should check now

Start with inventory rather than assumptions. Identify WebLogic domains running 12.2.1.4.0 or 14.1.1.0.0, including non-production systems, disaster-recovery hosts, and application stacks that are reachable only through VPN or partner networks. A server is lower priority if it is already on Oracle’s fixed July 2024 CPU level and untrusted T3/IIOP access is blocked, but it still belongs in the validation list.

For internet-facing or partner-facing environments, confirm whether common listener ports such as 7001 or 7002, or any custom WebLogic ports, allow T3 or IIOP traffic from outside trusted admin and application segments. If a patch cannot be applied immediately, restrict those protocols at firewalls, load balancers, and WebLogic channel configuration while preparing the proper update. This is the same practical lesson seen in other exploited server-side issues: the fastest risk reduction usually combines patching with exposure control, as with recent Palo Alto GlobalProtect exploitation and Apache HTTP Server RCE-risk patching.

Administrators should also review WebLogic access logs, managed-server logs, admin-server activity, and perimeter logs for unexpected protocol access, unusual source addresses, newly deployed applications, modified startup scripts, unfamiliar users, and changes to data-source or credential configuration. Because the published impact centers on unauthorized access to critical data, database credentials and application secrets available to the WebLogic process deserve a rotation decision if exploitation is suspected.

If an environment cannot be patched before the June 4 KEV deadline, document the exception with the exact hostnames, WebLogic version, exposed protocols, compensating network controls, and the planned maintenance window. That record matters because WebLogic often supports business-critical Java applications where emergency restarts are difficult; security teams need a defensible list of what was fixed, what was isolated, and what still needs executive risk acceptance.

CISA KEV status does not reveal the attacker group or exploitation volume, and the catalog lists known ransomware use as unknown. Still, KEV inclusion is a strong enough signal for private-sector teams too: it means exploitation has been observed and the window for “we will patch it later” has closed. Teams that recently handled Microsoft Exchange exploitation should treat WebLogic the same way: confirm patch level, reduce exposed protocols, preserve logs, and escalate any unexplained server-side changes.

References

  1. CISA. “CVE-2024-21182 Oracle WebLogic Server Unspecified Vulnerability,” Known Exploited Vulnerabilities Catalog, added June 1, 2026. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21182
  2. Oracle. “Oracle Critical Patch Update Advisory – July 2024,” Oracle WebLogic Server section. https://www.oracle.com/security-alerts/cpujul2024.html
  3. NVD. “CVE-2024-21182 Detail,” last modified June 1, 2026. https://nvd.nist.gov/vuln/detail/CVE-2024-21182

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment