Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 05, 2026 · 5 min read

CISA KEV: 2-Year-Old Oracle WebLogic Bug Now Exploited

CISA added CVE-2024-21182 to its Known Exploited Vulnerabilities catalog on June 1, 2026 — nearly two years after Oracle patched it. Federal agencies have until June 22 to remediate a flaw that lets an unauthenticated attacker on the network compromise Oracle WebLogic Server over T3 or IIOP.

The patch landed in Oracle's July 2024 Critical Patch Update. Twenty three months later, enough unpatched WebLogic instances are still sitting on the internet that CISA saw confirmed in the wild exploitation and reached for a Binding Operational Directive 22-01 listing. The agency does not normally publish KEV entries without operator evidence — so somewhere, somebody is using this flaw against a real environment right now.

Enterprise server room with rows of data center racks lit in deep indigo and blue tones, a single amber warning light glowing softly on one rack in the foreground

Key Takeaways

  • CISA added CVE-2024-21182, an Oracle WebLogic Server Core flaw, to its KEV catalog on June 1, 2026 based on confirmed evidence of active exploitation.
  • The vulnerability carries a CVSS score of 7.5 and was patched by Oracle in the July 2024 Critical Patch Update — but unpatched instances remain reachable on the public internet 23 months later.
  • Exploitation requires only network access to the T3 or IIOP protocols and no authentication, allowing an attacker to compromise the underlying WebLogic Server.
  • Affected versions include Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0.
  • Federal Civilian Executive Branch agencies must remediate by June 22, 2026 under Binding Operational Directive 22-01; private sector operators are strongly encouraged to do the same.

What Is CVE-2024-21182?

CVE-2024-21182 is a high severity vulnerability in the Core component of Oracle WebLogic Server. The relevant attack surface is the T3 protocol (Oracle's RMI flavored remote method invocation transport) and the IIOP protocol (the CORBA Internet Inter ORB Protocol). Both are management and inter process communication channels that a properly hardened deployment should never expose to the public internet — and yet, Shodan and Censys consistently show several thousand WebLogic instances with these ports reachable from anywhere.

The vulnerability is described in Oracle's advisory as "easily exploitable" by an attacker with network access. A successful exploit ends in full takeover of the WebLogic Server. That is the high impact end of the CVSS scoring system — confidentiality, integrity, and availability all compromised — even at a 7.5 base score, which would have been higher had the bug allowed lateral movement off the affected host without further steps.

Why Is This Bug Resurfacing in 2026?

Two reasons. First, WebLogic is sticky enterprise infrastructure. It runs in Oracle Forms shops, Java application server fleets, government identity systems, and bank batch processing pipelines — environments where production windows are short, regression testing is heavy, and "we will patch it next quarter" stretches into next year.

Second, prior WebLogic CVEs taught attackers a profitable playbook. CVE-2017-10271, CVE-2019-2725, and CVE-2020-2883 all hit T3 deserialization paths and all ended up in cryptominer, ransomware, and Chinese APT toolkits. Once a vulnerability targets the same component family that a thousand existing exploits already weaponized, the engineering effort to add a new one is small. Add KEV listing on top of that and every red team in the world now has a fresh Friday afternoon target.

How Are Attackers Exploiting It?

CISA's KEV listing confirms in the wild exploitation but does not publish the operator behind it. Imperva and other vendors have observed scanning activity targeting T3 endpoints over the last several weeks, which is consistent with the public proof of concept work that surfaced shortly after Oracle's original advisory in July 2024. The likely pattern: an attacker sweeps the internet for exposed WebLogic instances, fingerprints the version banner, and drops a deserialization payload over T3 that yields remote code execution as the WebLogic process user.

From there the standard kill chain applies — credential harvesting from memory and config files, pivoting to internal databases, and dropping a persistence mechanism so the operator does not lose access if the original WebLogic process restarts. Historic WebLogic exploitation campaigns ended in cryptominers on opportunistic targets and ransomware staging on high value ones.

What Defenders Should Do Now

CISA's deadline is June 22, 2026 for federal agencies. Private operators should treat that date as their own.

  • Apply the July 2024 Oracle Critical Patch Update or any later quarterly CPU. If you patched at any point after July 2024 you are likely already covered, but verify your WebLogic version banner against Oracle's advisory.
  • Audit T3 and IIOP exposure. Neither protocol should be reachable from the public internet in 2026. Restrict them to internal management VLANs.
  • Pull egress logs for WebLogic hosts. Look for outbound connections to known cryptominer pools, suspicious IPs, and any new persistence mechanisms installed since April.
  • Inventory legacy Java application servers. If WebLogic 12.2.1.4 is in your environment because nobody remembers what depends on it, treat that as a finding — not just a patch ticket.

For context on how CISA's KEV process now incorporates external researcher submissions, see our coverage of CISA opening its KEV nomination form to outside researchers. For another recent CISA KEV addition with a similarly tight federal deadline, see our coverage of the Trend Micro Apex One zero day CVE-2026-34926.

The Bigger Story

A two year old Oracle bug entering KEV in 2026 is not really a vulnerability story. It is an asset inventory story. Somewhere, an organization that depends on WebLogic forgot it depended on WebLogic — or knew, and decided the patching pain was bigger than the breach risk. Twenty three months later, somebody else made the cost benefit calculation on their behalf.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.