CISA Adds Oracle WebLogic CVE-2024-21182 to KEV Catalog Amid Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Oracle WebLogic Server flaw, tracked as CVE-2024-21182, to its Known Exploited Vulnerabilities (KEV) Catalog following confirmed evidence of active exploitation in the wild. The vulnerability carries a CVSS score of 7.5 and enables an unauthenticated attacker with network access to fully compromise susceptible servers via T3 and IIOP protocols. Oracle originally patched the flaw in its July 2024 Critical Patch Update, but its presence in production environments has clearly drawn threat actor attention.

According to CISA, successful exploitation of CVE-2024-21182 can lead to unauthorized access to critical data or complete compromise of all data accessible through the Oracle WebLogic Server instance. While no public technical details about current in-the-wild attacks have surfaced, historical WebLogic flaws have been repeatedly weaponized by threat actors for botnet enlistment, cryptocurrency mining, and ransomware deployment. Earlier this year, CloudSEK also documented automated exploitation of another maximum-severity WebLogic flaw, CVE-2026-21962, shortly after proof-of-concept code was published, highlighting the platform's persistent appeal to attackers.

In response to the active exploitation, CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches by June 4, 2026. Organizations running Oracle WebLogic should prioritize identifying exposed instances and verifying they are running fully patched versions. Security teams can use a port scanner to detect publicly accessible T3 and IIOP endpoints and a SSL/TLS checker to validate the cryptographic posture of their WebLogic deployments. Proactive exposure management remains critical, as unpatched enterprise middleware continues to be a top target for opportunistic and state-sponsored threat actors alike.