← CIO Briefings · Critical Impact ACTION REQUIRED

CRITICAL: Oracle WebLogic CVE-2024-21182 on CISA KEV — Ransomware Delivery Confirmed, Federal Deadline June 4

CISA added CVE-2024-21182 to the KEV on 1 June as honeypots confirm ransomware delivery via Oracle WebLogic T3/IIOP unauthenticated code execution. Despite a patch being available since January 2024, unpatched WebLogic deployments are being actively targeted. Organisations running WebLogic 12.2.1.4.0 or 14.1.1.0.0 must patch immediately.

2 min read

Situation

CISA confirmed on 1 June 2026 that CVE-2024-21182 — an unauthenticated remote code execution vulnerability in Oracle WebLogic Server via the T3 and IIOP protocols — is being actively exploited. Despite Oracle publishing a patch in January 2024, a significant population of enterprise WebLogic deployments has not applied the Critical Patch Update. Threat intelligence honeypots are recording delivery of Cobalt Strike beacons and Sodinokibi ransomware via this vulnerability.

Oracle WebLogic Server is the Java EE application server underlying Oracle Fusion Middleware, Oracle E-Business Suite, SOA Suite, and many custom enterprise Java applications. Affected versions: 12.2.1.4.0 and 14.1.1.0.0.

Business Impact

Successful exploitation provides unauthenticated remote code execution on the WebLogic application server. Consequences include:

  • Application data access: WebLogic hosts business-critical applications; server compromise provides access to all application data and database credentials
  • Ransomware deployment: Confirmed delivery of ransomware payloads following initial access, consistent with double-extortion ransomware operational patterns
  • Lateral movement: WebLogic server credentials and network position typically allow access to adjacent database and application infrastructure

Organisations in financial services and healthcare — which commonly run Oracle Fusion Middleware for core business processes — face the highest exposure.

Required Actions

Immediate:

  1. Identify all Oracle WebLogic Server installations running versions 12.2.1.4.0 or 14.1.1.0.0
  2. Apply the Oracle Critical Patch Update from January 2024 or the most recent CPU (which supersedes it)
  3. If immediate patching is not possible: block TCP 7001 (T3/IIOP) at the network perimeter — WebLogic T3 should never be internet-accessible in production
  4. Review WebLogic server logs for deserialization exception events that may indicate prior exploitation attempts

Federal agencies: CISA directive deadline is June 4, 2026.

Context

CVE-2024-21182 is the latest in a long series of critical Oracle WebLogic T3/IIOP deserialization vulnerabilities (CVE-2019-2725, CVE-2020-2551, CVE-2021-2394, CVE-2023-21839). The T3 and IIOP protocols should not be internet-accessible on any production WebLogic server — blocking these ports is a defence-in-depth control that reduces the impact of every past and future WebLogic deserialization vulnerability.