Shodan now tracks over 1,592 Oracle WebLogic servers exposed online and vulnerable to CVE-2024-21182 exploits — a figure that helps explain why the U.S. Cybersecurity and Infrastructure Security Agency (CISA) moved this week to force a federal patching deadline.
CVE-2024-21182 and Oracle WebLogic Server
The vulnerability in question is tracked as CVE-2024-21182 and affects Oracle WebLogic Server installations. According to Oracle's July 2024 advisory when the vendor released patches, the flaw can be exploited remotely by threat actors with no privileges in low-complexity attacks targeting systems running Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0.
Oracle characterized the issue bluntly: "Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server." The vendor also warned that "Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data."
CISA's Binding Operational Directive 22-01: deadline, scope, and order
On Thursday, CISA added CVE-2024-21182 to its catalog of security flaws "exploited in attacks" and ordered federal agencies to patch their WebLogic servers by midnight on Thursday, June 4, as mandated by Binding Operational Directive (BOD) 22-01. The directive, as noted by CISA, applies only to federal agencies; nonetheless, the agency "urged all network defenders, including those in the private sector, to patch their systems against ongoing CVE-2024-21182 attacks as soon as possible."
CISA framed the move as risk-mitigation for the federal enterprise and offered specific operational advice: "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." The agency also warned that "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."
Internet exposure: Shodan’s tally of vulnerable servers
The public internet-scanning platform Shodan reports 1,592 accessible Oracle WebLogic servers that match the vulnerable versions. Shodan’s breakdown lists 961 servers running version 12.2.1.4.0 and 631 servers running version 14.1.1.0.0. Those counts illustrate a sizeable online footprint of systems that, if unpatched, could be remotely attacked without authentication using T3 or IIOP network access.
Oracle’s patch history and related CISA actions
Oracle released security patches for CVE-2024-21182 in July 2024. The CISA action this week is not isolated: in October the cybersecurity agency ordered government agencies to patch an unauthenticated server-side request forgery (SSRF) vulnerability, CVE-2025-61884, in Oracle E-Business Suite after flagging it as actively exploited in the wild. More recently, in March, Oracle released an out-of-band security update to fix a critical unauthenticated remote code execution vulnerability (CVE-2026-21992) in Identity Manager and Web Services Manager; when BleepingComputer reached out to Oracle about the exploitation status of CVE-2026-21992, Oracle declined to comment.
CISA also reported a broader pattern: over the last several years the agency "has flagged 43 vulnerabilities across various Oracle products as exploited in the wild, 12 of which have been abused in ransomware attacks."
How federal agencies, private network defenders, and security teams are positioned
- Federal agencies: They face a hard deadline under BOD 22-01 to patch by midnight on June 4 and must follow CISA’s instruction to apply vendor mitigations, follow cloud guidance, or discontinue use if no mitigations exist.
- Private network defenders and enterprises: Although BOD 22-01 does not bind them, CISA explicitly "urged all network defenders" to patch as soon as possible given active exploitation; the Shodan exposure numbers give these teams a metric for prioritizing discovery and remediation.
- Security operations and incident response teams: The combination of an "easily exploitable" unauthenticated vector and an internet-visible population of vulnerable servers increases the likelihood that detection and containment playbooks will be needed; CISA’s historical flagging of similar Oracle flaws, including those used in ransomware, underscores that exploitation can lead to data compromise or broader access.
What remains immediate and concrete is the deadline: federal agencies must act by June 4, and organizations with exposed WebLogic instances face a clear choice echoed in CISA’s guidance — apply vendor mitigations, follow cloud-specific BOD guidance, or remove the product from service if no mitigation is available. The Shodan count — 961 instances on one supported version and 631 on another — gives urgency to that choice, because the vulnerability is both patched and, according to CISA, actively exploited.




