Skip to main content
Emerging Threats

CISA Flags Oracle WebLogic Flaw as Actively Exploited

Server equipment on a rack in a brightly-lit government agency setting.
CVE-2024-21182, a WebLogic Server flaw rated 7.5 by CVSS, was added to CISA’s Known Exploited Vulnerabilities Catalog after the agency said there was evidence the bug was being exploited — and federal civilian agencies were told to apply fixes by June 4, 2026.

CISA’s action: KEV listing and the federal deadline

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added CVE-2024-21182 to its Known Exploited Vulnerabilities (KEV) Catalog "based on evidence of active exploitation," the agency said. CISA’s notice paired the KEV addition with a firm operational instruction for Federal Civilian Executive Branch (FCEB) agencies: apply necessary fixes by June 4, 2026, to secure their networks.

CISA characterized the flaw as high severity (CVSS score: 7.5) and explicitly linked the listing to observed exploitation activity — the threshold CISA uses to move vulnerabilities into the KEV catalog and trigger mandatory remediation timelines for covered federal agencies.

Scope of the vulnerability: unauthenticated access via T3 and IIOP

CISA summarized the technical reach of CVE-2024-21182 with a direct vendor-centered description: "Oracle WebLogic contains an unspecified vulnerability that could allow an unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server." The agency warned that "successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data."

Oracle issued a patch for the vulnerability in July 2024, according to CISA’s advisory — making the KEV listing a statement that exploit activity has been observed despite an available vendor fix.

No public exploitation reports — but a pattern of weaponization

CISA noted that "there are currently no public reports about how the vulnerability is being exploited in the wild." At the same time, the advisory placed the new KEV entry in the context of a well-established pattern: prior WebLogic vulnerabilities "have been repeatedly weaponized by various threat actors to enlist them into botnets, mine cryptocurrency, and deploy ransomware."

Those historical uses underscore why CISA treats observed exploitation as warranting elevated response and why federal agencies are being given a short remediation window even months after a vendor patch was released.

Related incident: CloudSEK disclosure of CVE-2026-21962 automated attempts

Separately, the advisory noted an earlier March disclosure by CloudSEK concerning a different WebLogic flaw: CVE-2026-21962, a maximum-severity issue with a CVSS score of 10.0. CloudSEK reported that this flaw "witnessed automated exploitation attempts shortly after exploit code became publicly available," a sequence that highlights the speed at which exploit code can provoke automated, high-volume attacks.

What this means for FCEB agencies, technologists, and affected enterprises

  • Federal Civilian Executive Branch agencies: CISA’s action imposes a concrete compliance requirement — apply the available Oracle fixes by June 4, 2026. The KEV listing converts observed exploitation into an operational deadline for covered agencies.
  • Technologists and security teams: the advisory combines three facts worth attention — active exploitation evidence, an available July 2024 Oracle patch, and a history of WebLogic flaws being weaponized for botnets, crypto-mining, and ransomware. Those data points underline the rationale for urgent patching and monitoring for post-compromise activity.
  • Affected enterprises and procurement leaders: the combination of an available patch, public KEV listing, and prior incidents of automated exploitation after public disclosure (as seen with CVE-2026-21962) serves as an operational signal to prioritize remediation where WebLogic Server instances remain in service.

The KEV listing of CVE-2024-21182 crystallizes a familiar dynamic: vendor fixes can exist for months, but the discovery or escalation of exploitation can suddenly convert a known bug into an immediate, mandated response. Whether public reporting will surface details about the exploit chains or the threat actors involved remains to be seen; for now, the federal deadline and CISA’s explicit wording leave little ambiguity about the urgency of patching WebLogic Server instances.

Original story