CISA Adds Two-Year-Old Oracle WebLogic Flaw to KEV Catalog

CISA added CVE-2024-21182 to its Known Exploited Vulnerabilities catalog on June 1, 2026, after confirming active attacks against Oracle WebLogic Server deployments. The vulnerability, originally patched in July 2024, allows unauthenticated attackers to take control of vulnerable servers via the T3 and IIOP protocols. Federal agencies must remediate by June 4.

The belated exploitation highlights a persistent problem: organizations delay patching enterprise middleware, creating windows that threat actors eventually discover and exploit at scale.

Technical Details

CVE-2024-21182 affects the Core component of Oracle WebLogic Server with a CVSS score of 7.5. The flaw enables unauthenticated network-based attacks against systems running supported versions 12.2.1.4.0 and 14.1.1.0.0.

The vulnerability targets T3 and IIOP protocols—Oracle's proprietary communication mechanisms for inter-component traffic within WebLogic deployments. These protocols typically operate on ports 7001 and 7002.

Successful exploitation grants attackers full control over the WebLogic server, enabling:

• Deployment of malicious applications
• Access to connected databases and backend systems
• Lateral movement across the enterprise network
• Data exfiltration from business applications

Active Exploitation Observed

Security researchers report an uptick in exploitation attempts since mid-May 2026, with honeypots recording scans and payloads targeting unpatched WebLogic instances. Observed attack payloads include:

• Cryptocurrency miners
• Cobalt Strike beacons for persistent access
• Sodinokibi (REvil) ransomware deployment

The variety of payloads suggests multiple threat actors are exploiting the vulnerability for different objectives—from cryptomining opportunists to organized ransomware affiliates.

Why the Two-Year Gap?

Oracle addressed CVE-2024-21182 in its July 2024 Critical Patch Update. The nearly two-year gap between patch availability and confirmed exploitation isn't unusual for enterprise middleware. Several factors contribute:

Patch complexity: WebLogic servers often run business-critical applications with complex dependencies. Organizations may delay updates to avoid disrupting production systems.

Legacy deployments: Many WebLogic instances support applications built years ago, running on configurations that haven't been updated in years. IT teams may not even know they're responsible for these systems.

Protocol exposure: T3 and IIOP protocols sometimes get exposed to the internet during cloud migrations or through misconfigured firewalls, creating attack surfaces administrators didn't intend.

The exploitation pattern mirrors what we saw with Oracle REST Data Services CVE-2026-46840—Oracle infrastructure becomes a target once attackers develop reliable exploitation techniques.

Recommended Actions

1. Patch immediately — Apply Oracle's July 2024 Critical Patch Update or later to all WebLogic deployments
2. Audit protocol exposure — Verify T3 and IIOP ports (7001, 7002) aren't accessible from untrusted networks
3. Enable authentication — Configure T3 and IIOP to require authentication where possible
4. Monitor for compromise — Search logs for unusual application deployments or connections from unknown sources
5. Inventory middleware — Identify all WebLogic instances, including those supporting legacy applications

Broader Context

This marks the third Oracle vulnerability added to CISA's KEV catalog in the past month. The Known Exploited Vulnerabilities catalog mandates remediation timelines for federal agencies under Binding Operational Directive 22-01, but private organizations should treat KEV additions as strong signals that exploitation has reached meaningful scale.

WebLogic's position in enterprise architecture—typically handling authentication, application hosting, and database connectivity—makes it a high-value target. A compromised WebLogic server often provides direct paths to databases containing customer data, financial records, and business-critical information.

Why This Matters

Two-year-old vulnerabilities returning as active threats underscores that patching debt eventually comes due. The attackers exploiting CVE-2024-21182 today are likely scanning for the same deployment patterns they'll exploit tomorrow with the next critical Oracle flaw.

Organizations running Oracle middleware should establish regular patching cadences rather than waiting for CISA KEV notices. By the time a vulnerability reaches the catalog, exploitation is already widespread—remediation becomes incident response rather than proactive security.

For guidance on managing patch timelines and vulnerability prioritization, see our security resources.