CISA adds Oracle WebLogic CVE-2024-21182 to KEV catalog

CISA added CVE-2024-21182 to its Known Exploited Vulnerabilities catalog on June 1, 2026, citing evidence of active exploitation. The flaw is an unauthenticated remote takeover in Oracle WebLogic Server that Oracle patched in the July 2024 Critical Patch Update — nearly two years before federal civilian agencies were ordered to fix it. The CISA deadline under BOD 22-01 is June 4, 2026.

What the bug does

Oracle's advisory describes CVE-2024-21182 as an "easily exploitable" vulnerability in the WebLogic Core, reachable by an unauthenticated attacker with network access over the T3 or IIOP protocols. Successful exploitation yields unauthorized access to Oracle WebLogic Server data or full takeover. CVSS v3.1 is 7.5 (High). The classic WebLogic exposure pattern applies: T3 is the legacy Java-RMI-over-TCP transport that operators forget to firewall, and the server happily deserializes whatever a remote client sends it.

Affected versions

Oracle's CPU lists two affected branches:

• WebLogic Server 12.2.1.4.0
• WebLogic Server 14.1.1.0.0

The fix shipped in the July 2024 Critical Patch Update as part of the broader WebLogic patch set. Operators still on either of those branches without the July 2024 CPU applied are exposed.

Exposure on the public internet

Shodan counts cited by Bleeping Computer put roughly 1,592 Oracle WebLogic instances internet-reachable on the two vulnerable branches — 961 on 12.2.1.4.0 and 631 on 14.1.1.0.0. T3 listens on TCP/7001 and IIOP on TCP/7002 by default; both should be assumed scanned continuously.

shodan.io query: product:"Oracle WebLogic Server" port:7001

Exploitation status

CISA's KEV add is by definition a statement of in-the-wild exploitation; the agency does not publicly name the actor or the targeted sector. Reporting at The Hacker News and Bleeping Computer places the uptick in exploitation attempts at mid-May 2026, with honeypot operators observing scans against 7001 and 7002 followed by code-execution payloads. The KEV entry is the only authoritative source for the "exploited" determination — outlet detail on payload families should be treated as honeypot signal, not attribution.

Action checklist

1. Inventory WebLogic. Treat any host on 12.2.1.4.0 or 14.1.1.0.0 as in scope. WebLogic survives inside Fusion Middleware stacks, Oracle E-Business Suite tiers, and identity-federation rigs long after the team that deployed it left.
2. Apply the July 2024 CPU or any later CPU. This is the same patch set Oracle shipped 23 months ago; if it has not been applied, the operational debt is the story.
3. Firewall T3 and IIOP at the perimeter. Block inbound TCP/7001 and TCP/7002 from the public internet; restrict them to management subnets. Oracle's T3 connection filter is the long-standing belt-and-braces control here — it should already be enabled.
4. Hunt before assuming clean. A two-year window is enough time for any exposed instance to have been touched. Review WebLogic admin server access logs, AdminServer.log for unfamiliar deployments, and the domain/servers/AdminServer/upload directory for staged WARs.
5. Federal civilian agencies: BOD 22-01 deadline is June 4, 2026. Document remediation per CISA's standard reporting flow.

Context

CVE-2024-21182 is the latest in a long line of WebLogic T3/IIOP deserialization-class bugs that CISA keeps reaching back to add to KEV well after Oracle shipped the patch — see CVE-2020-2883, CVE-2020-14882, CVE-2023-21931 on the same catalog. The pattern is consistent: WebLogic instances stay deployed for a decade, CPU cadence is quarterly, and operators skip them because "the box hasn't moved." Two years between vendor patch and federal deadline is not unusual on this product; it is the norm.

If your organization runs WebLogic and the response to "apply the July 2024 CPU" is anything other than "already done," the catalog entry is for you.