CISA orders patches for exploited Oracle WebLogic bug

CISA orders – CISA has added CVE-2024-21182, a high-severity Oracle WebLogic Server vulnerability patched in July 2024, to its list of actively exploited flaws and ordered federal agencies to patch by midnight Thursday, June 4 under BOD 22-01. The bug is remotely exploitabl

It’s been two years since the fix for a high-severity Oracle WebLogic Server vulnerability first became available. But attackers haven’t moved on.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has now ordered federal agencies to secure their systems after adding CVE-2024-21182 to its catalog of security flaws exploited in attacks. The deadline is midnight on Thursday, June 4, mandated by Binding Operational Directive (BOD) 22-01.

CVE-2024-21182 affects Oracle WebLogic Server, an enterprise-grade Java app server used as middleware for large, multi-tier distributed applications. The flaw can be exploited remotely by threat actors with no privileges. using low-complexity attacks against systems running Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0.

Oracle described the risk plainly when it released patches for the issue in July 2024. It said the vulnerability is “Easily exploitable vulnerability allows unauthenticated attacker with network access via T3. IIOP to compromise Oracle WebLogic Server.” Oracle added that “Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.”.

The urgency isn’t theoretical. Internet intelligence platform Shodan is tracking more than 1,592 Oracle WebLogic servers exposed online and vulnerable to CVE-2024-21182 exploits—961 running version 12.2.1.4.0 and 631 running version 14.1.1.0.0.

Because BOD 22-01 applies only to federal agencies, CISA’s order targets that community first. Still, the agency urged all network defenders, including those in the private sector, to patch their systems against ongoing CVE-2024-21182 attacks as soon as possible.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. ” CISA warned. It told agencies to apply mitigations per vendor instructions. follow applicable BOD 22-01 guidance for cloud services. or discontinue use of the product if mitigations aren’t available.

There’s a wider pattern to the pressure CISA is applying to Oracle environments. In October. the agency ordered government agencies to patch an unauthenticated server-side request forgery (SSRF) vulnerability—CVE-2025-61884—in Oracle E-Business Suite after flagging it as actively exploited in the wild. More recently. in March. Oracle released an out-of-band security update to fix a critical unauthenticated remote code execution vulnerability—CVE-2026-21992—in Identity Manager and Web Services Manager. When asked about exploitation status, Oracle declined to comment.

Over the last several years, CISA has flagged 43 vulnerabilities across various Oracle products as exploited in the wild, with 12 of them abused in ransomware attacks.

For defenders, this latest directive lands with an uncomfortable message: even widely patched flaws can stay dangerous when networks lag behind. The clock is now explicit, and the internet exposure numbers underline what that means in practice.

CISA BOD 22-01 Oracle WebLogic Server CVE-2024-21182 cybersecurity actively exploited vulnerabilities patch deadline enterprise Java app server Shodan T3 IIOP