Executive Summary
CVE-2024-21182 is an unspecified vulnerability in Oracle WebLogic Server that enables unauthenticated remote attackers to compromise the server via network access over the T3 or IIOP protocols. Successful exploitation can result in unauthorized read access to critical data or complete access to all Oracle WebLogic Server data.
CISA added CVE-2024-21182 to its Known Exploited Vulnerabilities (KEV) catalog on June 1, 2026, confirming active exploitation in the wild.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-21182 |
| Vendor | Oracle |
| Product | WebLogic Server |
| Affected Versions | 12.2.1.4.0, 14.1.1.0.0 |
| Attack Vector | Network (T3 / IIOP) |
| Authentication Required | None |
| User Interaction | None |
| CISA KEV Added | June 1, 2026 |
| Exploitation Status | Active |
The vulnerability was originally disclosed as part of Oracle's January 2024 Critical Patch Update (CPU) but has now been confirmed to be under active exploitation, prompting CISA's KEV addition.
Affected Products
| Product | Affected Version |
|---|---|
| Oracle WebLogic Server | 12.2.1.4.0 |
| Oracle WebLogic Server | 14.1.1.0.0 |
Oracle WebLogic Server is a widely deployed Java EE application server used in enterprise environments worldwide, making this vulnerability high-value for threat actors targeting business-critical infrastructure.
Technical Details
While Oracle has not disclosed the full technical details of the vulnerability (classified as "unspecified"), key characteristics include:
- Network exploitability: Attacks are delivered over the network, requiring no physical access
- No authentication: Attackers do not need credentials to exploit the vulnerability
- T3 and IIOP exposure: Both the T3 (proprietary WebLogic protocol) and IIOP (Internet Inter-ORB Protocol) network channels are attack vectors
- Data impact: Exploitation can result in unauthorized access to all data stored on or accessible by the WebLogic Server instance
- No user interaction: The attack is fully automated and requires no action from a legitimate user
Attack Surface
Organizations with Oracle WebLogic Server instances that expose T3 (default port 7001) or IIOP (default port 2809) to the internet or untrusted networks are at immediate risk.
Exploitation Timeline
| Date | Event |
|---|---|
| January 2024 | Oracle discloses CVE-2024-21182 in CPU advisory |
| January 2024 | Patches released for affected versions |
| June 1, 2026 | CISA adds to KEV catalog — active exploitation confirmed |
The gap between original disclosure and CISA KEV addition indicates that while patches were available, unpatched instances remained in production and became active targets more than two years after the initial disclosure.
Immediate Remediation
Apply Oracle Patches
- WebLogic Server 12.2.1.4.0: Apply the patch bundle from Oracle's January 2024 CPU or later
- WebLogic Server 14.1.1.0.0: Apply the patch bundle from Oracle's January 2024 CPU or later
- Verify patch application via Oracle's OPatch utility
Network Hardening (Interim Mitigations)
If patching is not immediately possible, restrict access to T3 and IIOP ports:
# Restrict T3 port (default 7001) at the firewall
# Only allow trusted internal hosts
iptables -A INPUT -p tcp --dport 7001 -s <trusted-network> -j ACCEPT
iptables -A INPUT -p tcp --dport 7001 -j DROP
# Restrict IIOP port (default 2809)
iptables -A INPUT -p tcp --dport 2809 -s <trusted-network> -j ACCEPT
iptables -A INPUT -p tcp --dport 2809 -j DROPDisable Unused Protocols
If T3 or IIOP access is not required for your deployment, disable these listeners in the WebLogic console:
- Disable T3: Administration Console → Servers → [server] → Protocols → Disable T3
- Disable IIOP: Administration Console → Servers → [server] → Protocols → Disable IIOP
Detection
Monitor for the following indicators of potential exploitation:
Log Indicators
- Unusual authentication failures or anonymous connection attempts on T3/IIOP ports
- Large volumes of unexpected inbound traffic on ports 7001 or 2809
- Unexpected process spawning from WebLogic Server processes
- New or unusual network outbound connections from WebLogic host systems
Recommended Monitoring
# Monitor WebLogic access logs for anonymous T3/IIOP access attempts
grep -i "t3://" /path/to/weblogic/logs/access.log | grep -i "anonymous\|unauthenticated"
# Check for unexpected outbound connections from WebLogic process
ss -tnp | grep java | grep -v "<known-hosts>"
# Review recent WebLogic server log for error patterns
tail -n 1000 /path/to/weblogic/logs/server.log | grep -i "error\|exception\|unauthorized"Federal Agency Requirements
CISA's KEV catalog addition on June 1, 2026 requires federal civilian executive branch (FCEB) agencies to apply patches per Binding Operational Directive (BOD) 22-01. Agencies must remediate this vulnerability according to the CISA-specified deadline.
Key Takeaways
- CISA KEV confirmed — active exploitation underway as of June 1, 2026
- Unauthenticated access via T3 or IIOP means internet-exposed instances are at critical risk
- Patches available since January 2024 — organizations running unpatched WebLogic should treat this as an emergency
- Restrict T3/IIOP at the network perimeter if immediate patching is not feasible
- Audit WebLogic deployments for any signs of unauthorized access since early 2026