CISA Warns WebLogic Bug Exploited Two Years After Patch

CISA KEV – CISA has added CVE-2024-21182 to its Known Exploited Vulnerabilities catalog after confirming active exploitation. Oracle patched the issue in July 2024, but unpatched Oracle WebLogic servers still expose remote attackers—prompting urgent action for federal ag

For a vulnerability that Oracle fixed in July 2024, the timeline should have ended there. Instead, two years after the problem was recognized and patched, it’s now actively being used.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-21182 to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation. The message is blunt: what was once a known technical weakness has become an immediate threat that demands remediation.

Oracle says the flaw impacts Oracle WebLogic servers running on two specific versions: 12.2.1.4.0 and 14.1.1.0.0. The risk isn’t theoretical. Oracle describes how any unauthenticated attacker can gain remote access by using exposed T3 and IIOP protocols. Once attackers successfully exploit the vulnerability, they can obtain full access to all data accessible through the server.

CISA’s KEV listing brings the issue into the category of high-priority threats—one that federal agencies must treat as urgent. It also functions as a wider warning aimed at the private sector, where many systems are still not updated.

Oracle’s patch was released in July 2024, but CISA’s latest alert points to a persistent problem: enough organizations have not applied it. That delay has left an entry point open for exploitation “recently observed,” turning a past fix into a current emergency.

The underlying issue is the role WebLogic Server plays in enterprise systems. Oracle WebLogic Server is an enterprise-grade Java application server used to deploy and handle demanding applications for large-scale business or government systems. It typically sits at the core of application delivery—handling requests. processing logic. and connecting to critical databases—so a remote foothold can become more than just access. It can become a springboard.

CVE-2024-21182 involves remote access through exposed T3 and IIOP protocols. which are used on the server for Remote Method Invocation (RMI). a way for Java programs to communicate with different endpoints. Because these protocols can be internet-facing and always reachable. threat actors can exploit the vulnerability to gain a direct foothold in connected environments. From there, access to internal data could open the door to multiple cyberattacks.

CISA’s move also adds urgency beyond the technical details. Even with a reported CVSS base score of 7.5 and Oracle’s fix from July 2024, the vulnerability remains unpatched in practice.

Shodan data cited in the alert underscores the scale of that exposure: over 1,592 Oracle WebLogic servers remain vulnerable to exploitation of this flaw. Of those, 961 still run version 12.2.1.4.0, while 631 run version 14.1.1.0.0.

The pressure now falls hardest on federal agencies. CISA warns that the vulnerability “poses significant risks to all federal agencies using the vulnerable servers.” It also urges “all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice.”.

Federal agencies have until June 4 to patch their WebLogic servers using guidelines provided by Oracle, under the mandate of the Binding Operational Directive 22-01. The deadline is tight, and it reflects how seriously CISA views the gap between a released patch and real-world deployment.

What makes this situation so uncomfortable is the contradiction baked into the calendar: a fix issued in July 2024 should have reduced the risk. Instead, CISA’s confirmation of active exploitation—and the continued presence of vulnerable servers—shows how quickly “known” can become “ongoing.”

CISA KEV CVE-2024-21182 Oracle WebLogic cybersecurity active exploitation Binding Operational Directive 22-01 T3 IIOP Shodan patching