CISA Adds Oracle WebLogic CVE-2024-21182 to KEV Catalog After Active Exploitation

CISA Adds Oracle WebLogic CVE-2024-21182 to KEV Catalog After Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency added Oracle WebLogic Server vulnerability CVE-2024-21182 to its Known Exploited Vulnerabilities catalog on June 1, 2026, confirming active exploitation in the wild of a flaw that Oracle originally patched in its July 2024 Critical Patch Update — nearly two years ago. With a CVSS score of 7.5, the vulnerability allows unauthenticated remote attackers to gain access to vulnerable WebLogic Server instances via the platform's proprietary T3 protocol or the Internet Inter-ORB Protocol (IIOP), potentially resulting in unauthorised access to critical application data or complete control over the affected WebLogic environment. CISA has directed all Federal Civilian Executive Branch agencies to remediate the vulnerability under Binding Operational Directive 22-01, with a mandatory deadline of June 4, 2026.

What the Vulnerability Does and Why It Is Dangerous

CVE-2024-21182 is classified as an unspecified vulnerability in Oracle WebLogic Server — a widely deployed enterprise Java application server used to host mission-critical applications across finance, healthcare, government, and technology sectors in both cloud and on-premise environments. The flaw requires no authentication to exploit. An attacker with network access to a vulnerable WebLogic instance via T3 or IIOP — both commonly used for internal WebLogic component communication — can leverage the flaw to bypass authentication controls, access sensitive application data, and in high-risk scenarios achieve full system compromise. Successful exploitation opens the door to lateral movement within enterprise networks, deployment of web shells or remote access trojans, data exfiltration, and potentially the introduction of ransomware payloads. Several proof-of-concept exploits targeting CVE-2024-21182 have been publicly available since the vulnerability was disclosed, lowering the technical barrier for opportunistic threat actors.

The Broader Oracle WebLogic Threat Context

CISA's KEV catalog already includes over a dozen other Oracle WebLogic Server vulnerabilities — the majority assigned CVEs in 2020 or earlier, demonstrating a persistent and long-running pattern of WebLogic exploitation by threat actors. Earlier in 2026, CloudSEK disclosed that a separate maximum-severity WebLogic vulnerability (CVE-2026-21962, CVSS score 10.0) was subjected to automated exploitation attempts almost immediately after public proof-of-concept code became available. Oracle WebLogic has historically been weaponised in campaigns involving botnet enrollment, cryptocurrency mining, and ransomware deployment, making it a consistently high-value target for financially motivated threat actors.

What Organisations Must Do Now

Apply Oracle's official patches from the July 2024 CPU without delay — any WebLogic instance that has not been updated in the intervening two years is actively exploitable. Audit the network exposure of all WebLogic services and immediately restrict or block access to T3 and IIOP protocols from untrusted external networks. Implement strict network segmentation around WebLogic deployments and configure logging and threat detection to flag unusual T3 or IIOP traffic patterns. If patches cannot be applied immediately, isolate or take offline vulnerable instances until remediation is complete. For organisations that cannot verify their WebLogic patch status, treat all internet-exposed instances as potentially compromised and initiate forensic review.