Oracle WebLogic Server Vulnerability (CVE-2024-21182): Added to CISA KEV with June 4 Remediation Deadline

nick

Oracle WebLogic Server Vulnerability (CVE-2024-21182): Added to CISA KEV with June 4 Remediation Deadline

by

Oracle WebLogic Server contains a vulnerability, tracked as CVE-2024-21182, that allows unauthenticated attackers with network access via the T3 and IIOP protocols to compromise the server and gain access to critical data. The vulnerability was originally patched in the July 2024 Oracle Critical Patch Update, but CISA has now added it to the Known Exploited Vulnerabilities (KEV) catalog on June 1, 2026 — nearly two years after the patch was released — with a federal agency remediation deadline of June 4, 2026. The KEV addition indicates sustained exploitation interest targeting unpatched WebLogic instances still in production.

What Is the Vulnerability?

CVE-2024-21182 is a vulnerability in the Core component of Oracle WebLogic Server that affects the T3 and IIOP protocols — Oracle’s proprietary communication protocols used for inter-component communication within WebLogic deployments. An unauthenticated attacker with network access to these protocols can exploit the vulnerability to compromise the WebLogic server without credentials.

Oracle’s advisory describes the vulnerability as “easily exploitable” — allowing an unauthenticated attacker with network access via T3 or IIOP to compromise Oracle WebLogic Server. Successful attacks can result in unauthorised access to critical data and, depending on the environment configuration, potential full server compromise. WebLogic is Oracle’s flagship Java EE application server and is widely deployed in government, financial services, insurance, telecommunications, and large enterprise environments to host business-critical Java applications. The T3 and IIOP protocols are commonly exposed on enterprise networks — often more broadly than necessary — because they are required for communication between WebLogic cluster members and administrative tools.

  • CVSS v3.1 Score: 7.5 (High)
  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: None (PR:N)
  • User Interaction: None (UI:N)
  • CISA KEV: Added June 1, 2026 — federal agency deadline June 4, 2026

Which Versions Are Affected?

The vulnerability affects two major versions of Oracle WebLogic Server:

  • Oracle WebLogic Server 12.2.1.4.0
  • Oracle WebLogic Server 14.1.1.0.0

Both versions are widely deployed in production enterprise environments. WebLogic 12.2.1.4.0 is a long-term support release with an extended support lifecycle, meaning many organisations have it deployed in environments where patching cycles are conservative and infrequent — a key factor in why unpatched instances remain in production nearly two years after the fix was released.

Is It Being Exploited in the Wild?

Yes — CISA KEV addition confirms active exploitation. Inclusion in the CISA Known Exploited Vulnerabilities catalog means CISA has confirmed that this vulnerability is being actively exploited in the wild. The fact that CISA added this CVE in June 2026 — nearly two years after Oracle released the patch in July 2024 — is a strong signal that a significant population of unpatched WebLogic instances remain in production and are being targeted. The tight remediation deadline of June 4 — just three days from the KEV addition — indicates urgency. The T3 and IIOP protocols have been the attack vector for numerous high-impact WebLogic vulnerabilities over the years, and automated scanning tools specifically target these protocols on default WebLogic ports (typically 7001 for T3). Organisations with internet-facing WebLogic instances or WebLogic servers on flat internal networks are at elevated risk.

What Is the Fix?

Oracle released the patch for CVE-2024-21182 in the July 2024 Critical Patch Update. If you are running an affected version of WebLogic, apply the July 2024 CPU or any subsequent Oracle patch release that includes this fix. The July 2024 CPU is available at:

https://www.oracle.com/security-alerts/cpujul2024.html

After patching, verify the applied CPU level through the WebLogic Server administration console or via the OPatch utility. Both WebLogic 12.2.1.4.0 and 14.1.1.0.0 require the July 2024 CPU or a later patch bundle.

Recommendations

Patch by June 4 — the CISA KEV deadline is in two days. Federal agencies and organisations subject to BOD 22-01 must remediate by the deadline. Even for non-federal organisations, the KEV addition signals confirmed active exploitation. If your WebLogic instances are running unpatched versions, patch them this week.

Audit your WebLogic inventory. WebLogic servers are often deployed in enterprise environments where they may have been installed years ago and may not be covered by routine vulnerability scanning. Identify all WebLogic instances in your environment — including development, test, staging, and disaster recovery environments — and verify their patch level. Pay particular attention to WebLogic 12.2.1.4.0 instances, which may be running in “stable, don’t touch” environments that have deferred patching.

Restrict T3 and IIOP protocol access. The T3 and IIOP protocols are often unnecessarily exposed to broader network segments than required. Audit your WebLogic network configuration and restrict T3 (default port 7001) and IIOP access to only trusted application servers, administrative hosts, and cluster members. Block T3 and IIOP traffic from untrusted networks — including the internet — at the network perimeter. This is a high-impact, low-effort mitigation that reduces the attack surface for this and future WebLogic protocol vulnerabilities.

Check for signs of compromise. Review WebLogic server access logs for unexpected T3 or IIOP connection attempts from unrecognised IP addresses. Monitor for new administrative users, modified deployed applications, or unexpected configuration changes. WebLogic audit logs can provide visibility into administrative actions performed through compromised sessions.

References

This advisory was first covered in the broader Vulnerability Intelligence Report — June 2, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!