Oracle WebLogic CVE-2024-21182 exploitation

Summary

CVE-2024-21182 is an Oracle WebLogic Server Core vulnerability affecting supported 12.2.1.4.0 and 14.1.1.0.0 releases. Oracle patched it in the July 2024 Critical Patch Update, and CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-01.

The durable threat-intelligence value is exposure management for legacy middleware: the vulnerable path is unauthenticated, network-reachable over T3 and IIOP, low-complexity, and can allow access to critical WebLogic-accessible data. Public sources reviewed here confirm active exploitation via CISA KEV, but do not name an actor, malware family, or campaign.

Tags

• ops
• operations
• Oracle WebLogic Server
• CVE-2024-21182
• active exploitation
• edge application server
• middleware
• T3
• IIOP
• incident response

Why this matters

• WebLogic commonly sits near identity, application, and database tiers; exploitation can quickly become an application-data incident even when the CVSS impact is confidentiality-only.
• Oracle and NVD describe the flaw as remotely exploitable without authentication or user interaction over T3 and IIOP.
• CISA's 2026-06-01 KEV entry sets a 2026-06-04 remediation due date for covered federal agencies, indicating operational urgency.
• Public reporting reviewed in this scan does not provide a reliable exploit chain or actor attribution; defenders should avoid overfitting hunts to a named crew.

Operational characteristics

• Affected product: Oracle WebLogic Server, Fusion Middleware, Core component.
• Affected versions: 12.2.1.4.0 and 14.1.1.0.0, according to Oracle and NVD.
• Attack surface: unauthenticated network access via T3 and IIOP.
• Exploit complexity: low; no privileges or user interaction required.
• Impact described by Oracle / NVD: unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data; CVSS 3.1 base score 7.5 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
• Observed exploitation: CISA added the vulnerability to KEV on 2026-06-01; CISA lists ransomware campaign use as unknown.

Defender heuristics

• Inventory internet-exposed and partner-accessible WebLogic instances, especially listeners exposing T3 / T3S or IIOP / IIOPS.
• Apply Oracle's July 2024 Critical Patch Update or a later supported CPU containing the fix; prioritize unsupported or end-of-life deployments for retirement or isolation.
• If immediate patching is blocked, restrict T3 and IIOP exposure at network boundaries, load balancers, firewalls, and WebLogic channel configuration; avoid exposing administration and application protocols directly to the internet.
• Review WebLogic access, server, diagnostic, deployment, and admin-console logs around the KEV window and any earlier suspected exposure.
• Hunt for anomalous T3/IIOP connections, unexpected serialized-object traffic, unusual classloading or deployment activity, new or modified applications, suspicious file writes under WebLogic domains, and outbound connections from WebLogic hosts.
• Treat confirmed exploitation as a data-access incident: preserve logs before remediation, identify applications and datasources reachable from the affected server, rotate application credentials, and review database access from the WebLogic service account.

Related pages

• KnowledgeDeliver CVE-2026-5426 ViewState exploitation
• Drupal Core CVE-2026-9082 exploitation
• LiteSpeed cPanel CVE-2026-48172 exploitation

Sources

• CISA KEV JSON feed entry for CVE-2024-21182
• Oracle July 2024 Critical Patch Update, Fusion Middleware risk matrix
• NVD API record for CVE-2024-21182
• CVE Program API record for CVE-2024-21182