Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw impacting Oracle WebLogic Server to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. The vulnerability, CVE-2024-21182 (CVSS score: 7.5), allows an unauthenticated attacker with network access to take control of susceptible servers. It was
Analysis Summary
# Vulnerability: Oracle WebLogic Server Unauthenticated Remote Code Execution
## CVE Details
- **CVE ID**: CVE-2024-21182
- **CVSS Score**: 7.5 (High)
- **CWE**: Not explicitly specified in the article (typically associated with improper input validation or deserialization in WebLogic)
## Affected Systems
- **Products**: Oracle WebLogic Server
- **Versions**: Impacted versions addressed in the July 2024 Critical Patch Update (commonly 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0).
- **Configurations**: Systems with **T3** or **IIOP** protocols enabled and accessible over the network.
## Vulnerability Description
CVE-2024-21182 is a high-severity flaw that allows an unauthenticated attacker with network access via the T3 or IIOP protocols to compromise the Oracle WebLogic Server. While Oracle describes it as an "unspecified" vulnerability, it facilitates unauthorized access to critical data and can lead to a complete takeover of the server environment.
## Exploitation
- **Status**: **Exploited in the wild.** Added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on June 1, 2026.
- **Complexity**: Low (implied, as it is being weaponized by automated botnets).
- **Attack Vector**: Network (Remote).
## Impact
- **Confidentiality**: High (Unauthorized access to critical/server data).
- **Integrity**: High (Total control over the susceptible server).
- **Availability**: High (Complete server compromise).
## Remediation
### Patches
- Apply the **Oracle Critical Patch Update (CPU) from July 2024** or later.
- Oracle security alerts can be found at: hxxps[://]www[.]oracle[.]com/security-alerts/cpujul2024[.]html
### Workarounds
- **Disable T3/IIOP Protocols**: If these protocols are not required for business operations, disable them to close the attack vector.
- **Network Filtering**: Implement connection filters to restrict T3/IIOP traffic specifically to trusted IP addresses only.
## Detection
- **Indicators of Compromise**: Monitor for unusual administrative activity or unauthorized file creation (Web shells) on WebLogic servers.
- **Detection methods and tools**:
- Use CISA’s KEV catalog to track deadlines for remediation (Federal agencies required to patch by June 4, 2026).
- Scan for open ports 7001 (default T3) and review logs for incoming T3/IIOP requests from unknown external IPs.
## References
- **Vendor Advisory**: hxxps[://]www[.]oracle[.]com/security-alerts/cpujul2024[.]html
- **CISA KEV Catalog**: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Original Source**: hxxps[://]thehackernews[.]com/2026/06/oracle-weblogic-cve-2024-21182-added-to[.]html