On June 1, 2026, CISA added vulnerability CVE-2024-21182 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation of this flaw in Oracle WebLogic Server. The vulnerability, rated CVSS 7.5, allows an unauthenticated attacker with network access to compromise the server via the T3 or IIOP protocols. Oracle released a patch back in July 2024 — almost two years earlier — yet unpatched servers remain targets. U.S. federal civilian agencies are required to remediate the vulnerability by June 4, 2026, but the recommendation is relevant for all organizations using WebLogic.
Technical details of the vulnerability
The CVE-2024-21182 vulnerability affects Oracle WebLogic Server — a widely used Java EE application server that is often a key component of corporate infrastructure. According to CISA’s description, exploitation occurs via the T3 and IIOP network protocols, which WebLogic uses for inter-server communication and remote procedure calls.
Key characteristics of the vulnerability:
- Identifier: CVE-2024-21182
- CVSS score: 7.5 (high)
- Attack vector: network, no authentication required
- Exploitation protocols: T3, IIOP
- Impact: unauthorized access to critical data or full access to all data available to the Oracle WebLogic Server
- Exploitation status: added to the CISA KEV catalog (confirmed active exploitation)
It is important to clarify the scope of impact: CISA’s wording points specifically to compromise of data available to the WebLogic server, rather than full takeover of the host operating system. Nevertheless, given that WebLogic often processes business-critical data and is integrated with databases, the consequences of a successful attack can be very serious.
Oracle released a fix as part of the Critical Patch Update (CPU) in July 2024. The fact that the vulnerability was added to KEV almost two years after the patch was issued indicates a significant number of unpatched servers still running in production.
Threat context: WebLogic as a constant target
Oracle WebLogic Server has historically been one of the most attractive targets for attackers. Previous vulnerabilities in this product have repeatedly been used by various groups to build botnets, mine cryptocurrency, and deploy ransomware. The appearance of CVE-2024-21182 in the KEV catalog fits this persistent trend.
Based on currently available information, there are still no public reports describing specific exploitation methods for CVE-2024-21182. This means CISA possesses its own data on active exploitation that has not yet been disclosed publicly — which further underscores the seriousness of the situation.
The T3 and IIOP protocols used in the attack are characteristic vectors for deserialization vulnerabilities in WebLogic. Many previous critical WebLogic vulnerabilities — including a whole series of flaws exploited between 2020 and 2024 — leveraged these exact protocols. Organizations that did not restrict access to T3/IIOP after earlier incidents are highly likely to remain vulnerable to CVE-2024-21182 as well.
Impact assessment
Oracle WebLogic Server is widely deployed in large enterprises, financial institutions, government bodies, and telecommunications companies. WebLogic servers often act as a bridge between web applications and corporate databases, making their compromise a potential springboard for further movement across the network.
The highest risk is faced by organizations that:
- Have not applied Oracle’s July 2024 update
- Run WebLogic servers with T3/IIOP ports exposed and accessible from the internet
- Use outdated WebLogic versions that are no longer fully supported
The two-year gap between patch release and confirmation of active exploitation is a typical pattern for enterprise software: the complexity of updating application servers in production environments often results in critical fixes being postponed indefinitely.
Practical recommendations
- Apply the patch immediately: deploy the update from the Oracle Critical Patch Update of July 2024. If the server has not been updated since then, it is recommended to install the latest available CPU, which also includes this fix.
- Restrict access to T3 and IIOP protocols: configure connection filtering at both the network firewall and WebLogic configuration levels. Access to these protocols should be allowed only from trusted internal hosts.
- Audit open ports: verify that WebLogic ports (port 7001, 7002 by default) are not exposed to the internet. Use perimeter scanning to detect unintentionally exposed instances.
- Review logs for signs of compromise: analyze WebLogic logs for anomalous T3/IIOP connections, especially from external IP addresses.
- Consider segmentation: WebLogic servers processing critical data should be placed in a separate network segment with tightly controlled access.
Organizations using Oracle WebLogic Server should treat patching CVE-2024-21182 as a priority task, without waiting for detailed exploitation techniques to be published. Inclusion in the CISA KEV catalog is a confirmed signal of active attacks, and restricting access to the T3 and IIOP protocols from untrusted networks is the minimum protective measure that can be implemented before the update is installed.
