CISA Adds 2-Year-Old Oracle WebLogic Flaw CVE-2024-21182 to KEV Amid Active Exploitation

The story here is not a new vulnerability. It is a fix that has existed since July 2024 sitting undeployed on internet-facing servers long enough to earn a federal mandate to install it — the canonical failure mode of enterprise patching.

WASHINGTON — On June 1, 2026, the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2024-21182, a high-severity Oracle WebLogic Server vulnerability, to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation in the wild. Oracle had already patched the flaw nearly two years earlier, in its July 2024 Critical Patch Update.

The KEV listing carries a Binding Operational Directive 22-01 deadline of June 4, 2026 for Federal Civilian Executive Branch agencies — a notably short window — and CISA urged defenders everywhere to apply Oracle's fix as soon as possible.

What Happened

CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalog on Monday, June 1, 2026, on the basis of evidence that the flaw is being exploited in the wild. The vulnerability carries a CVSS score of 7.5 and affects Oracle WebLogic Server, the Java application server embedded deep in countless enterprise software stacks. In CISA's own words, it is 'an unspecified vulnerability that could allow an unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server,' and 'successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.' Oracle had shipped a fix in its July 2024 Critical Patch Update, almost two years before the listing.

The KEV addition triggers a Binding Operational Directive 22-01 obligation for Federal Civilian Executive Branch agencies to remediate, with a deadline of June 4, 2026 — a tight three-day turn that signals how seriously CISA is treating the exposure — and the agency urged all network defenders, public and private, to patch as soon as possible. One caveat is worth stating plainly: CISA added the flaw on its own evidence of exploitation, but there are no public reports describing how the vulnerability is actually being weaponized, so the mechanics of the in-the-wild attacks are not yet known.

What CVE-2024-21182 Actually Allows

Precision matters here, because the coverage and the score do not entirely agree. Several outlets describe CVE-2024-21182 as an 'unauthenticated remote code execution' flaw, and the practical risk is real, but CISA's own language and the CVSS 7.5 rating point to something narrower than full RCE. CISA says the flaw lets an unauthenticated attacker reach WebLogic over the T3 or IIOP protocols — the proprietary remoting protocols WebLogic exposes — and 'compromise' the server, with the concrete consequence being 'unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.' That is a confidentiality-impact description: an attacker reading data they should not be able to reach. A clean unauthenticated RCE in this software would typically carry a near-maximum score, not a 7.5. The honest framing is that this is a serious unauthenticated data-compromise flaw reachable over WebLogic's remoting protocols, and defenders should treat it as such without inflating it into confirmed code execution the advisory does not claim.

A Patch Available Since July 2024

The editorial center of gravity is the calendar. Oracle fixed CVE-2024-21182 in its July 2024 Critical Patch Update, which means a remediation has been available for roughly two years. WebLogic is exactly the kind of software where that gap opens: it sits underneath banking, telecom, ERP and government Java applications, often on infrastructure an organization considers 'stable' precisely because nobody touches it. That hands-off posture is what keeps a two-year-old patch undeployed on internet-facing servers — and public scanning at the time of the listing indicated on the order of 1,600 WebLogic instances still exposed and in scope. It is the same patched-but-not-deployed failure mode behind this cycle's active-exploitation cluster, from the Palo Alto GlobalProtect authentication bypass under active exploitation to the FortiClient EMS flaw pushing the EKZ credential stealer — and the broader trend Verizon's 2026 DBIR captured when vulnerability exploitation overtook credential theft as the top initial-access vector.

The 22-01 Clock and the Wider KEV Cluster

For federal agencies, the BOD 22-01 deadline of June 4 is a hard obligation, and the three-day window is short by KEV standards. But the listing is a signal for everyone else too. It joins a run of KEV-driven federal patch mandates The CyberSignal has tracked this cycle — the Ivanti EPMM zero-day with its own KEV deadline, the cPanel flaw that drew a federal patch mandate, and the Linux kernel privilege-escalation bug CISA added to KEV — each a reminder that a KEV entry is the clearest public signal that a flaw has crossed from theoretical to operational. Prior WebLogic vulnerabilities have a long history of weaponization for botnets, cryptocurrency mining and ransomware, and the platform's deserialization-style exposure rhymes with enterprise-infrastructure flaws like the Microsoft SharePoint deserialization RCE — so the population of unpatched, internet-exposed WebLogic servers is precisely the kind of target attackers return to.

Scope and Impact

The reason the KEV listing matters beyond the federal deadline is that organizations routinely underestimate their WebLogic footprint. The server is embedded across the Oracle stack — Oracle E-Business Suite, Siebel, PeopleSoft and Fusion Middleware all ship or depend on it — and it frequently runs inside third-party and vendor-hosted environments an organization does not directly administer. An accurate inventory therefore has to reach past the WebLogic instances a team knows it runs to the ones bundled inside other products and managed by others. Every one of those instances exposed to a network over T3 or IIOP is a candidate for CVE-2024-21182.

The exploitation hedge cuts in the defender's favor on prioritization but not on urgency. Because there are no public reports of how the flaw is being exploited, defenders cannot yet hunt on a known exploitation signature or a published indicator set; what they can do is treat reachability as the risk. An internet-facing WebLogic server still on a pre-July-2024 patch level should be considered exposed regardless of whether a specific attack has touched it, and the absence of public exploitation detail is a reason to move faster, not slower — it means the window in which defenders can act on advisory information rather than incident forensics is still open.

Response and Attribution

The response is an inventory-then-patch workflow. Enumerate every WebLogic instance — production, dev and test, and the copies embedded inside Oracle E-Business Suite, Siebel, PeopleSoft and Fusion Middleware or hosted by third parties — and verify each against the July 2024 Critical Patch Update level that contains the CVE-2024-21182 fix. For any instance that cannot be patched immediately, restrict network access to the WebLogic admin and application ports and, in particular, limit exposure of the T3 and IIOP protocols, which are the documented attack surface; those protocols rarely need to be reachable from untrusted networks and are a sensible thing to firewall off regardless. Treat any unpatched, internet-exposed instance as compromised-until-proven-otherwise, pull and review its logs, and prioritize the federal June 4 deadline if BOD 22-01 applies to your organization.

On attribution and hunting, the honest position is constrained by what is public. No actor has been named, and CISA has not described the exploitation method. What the historical record supplies is a pattern rather than an attribution: prior WebLogic flaws have been repeatedly enlisted into botnets, used to mine cryptocurrency and used to deploy ransomware, and a separate maximum-severity WebLogic flaw earlier in 2026 drew automated exploitation attempts within days of public exploit code. SOC teams should therefore hunt on behavior — WebLogic processes spawning shells or unexpected executables, and outbound connections from WebLogic hosts to unfamiliar destinations — and pivot onto specific indicators the moment researchers publish them, rather than waiting for an attribution that may not come.

The CyberSignal Analysis

Signal 01 — The Two-Year Patch Gap Is the Whole Story

It would be easy to file this as another CVE and move on, but the news is not the vulnerability — it is the date. Oracle published a fix in July 2024, and in June 2026 CISA had to compel its installation because the flaw is being exploited against servers that never took the patch. That gap is the recurring 2026 failure mode: the exploitation problem is increasingly not a shortage of patches but a shortage of patch deployment. The actionable lesson for security leaders is to measure the distance between their patch-availability dates and their patch-deployment dates for internet-facing infrastructure, because that distance is precisely the window attackers operate in. A patch that exists but has not been applied provides exactly zero protection, and a two-year-old fix on an exposed server is, in security terms, no fix at all.

Signal 02 — Read the Score: Data Compromise, Not Confirmed RCE

When a flaw is described as letting an unauthenticated attacker 'compromise' a server, the reflex is to call it remote code execution, and several outlets did. But the discipline of reading the advisory and the score pays off here. CISA's description is a confidentiality-impact one — unauthorized access to critical or all WebLogic-accessible data — and the CVSS 7.5 rating is inconsistent with a clean unauthenticated RCE, which would land far higher. That distinction is not pedantry: it changes the threat model from 'attacker is running code on my server' to 'attacker can read data my WebLogic server can reach,' which still demands urgent patching but implies a different blast radius and a different set of compensating controls. Reporting the flaw as what the advisory actually says, rather than as the scarier thing it might be mistaken for, is the difference between calibrated urgency and alarm.

Signal 03 — KEV Is a Federal Mandate and a Universal Signal

The KEV catalog is, formally, a compliance instrument: it triggers a BOD 22-01 obligation for federal civilian agencies, here with a tight June 4 deadline. But its more useful function is as a public, vendor-neutral signal that a vulnerability has crossed from theoretical to operational — that someone, somewhere, is using it. For the private sector, which carries no legal obligation to act on KEV, the rational move is to weight KEV listings heavily in patch prioritization regardless, because the catalog is effectively a curated feed of the flaws most worth fixing first. An organization that treats 'is it in KEV?' as a first-order prioritization input is borrowing CISA's exploitation telemetry for free, and on a two-year-old WebLogic flaw that telemetry is exactly the nudge that should move it to the top of the queue.

Sources