Oracle WebLogic CVE-2024-21182 exploited in the wild; CISA orders a fix
CISA added Oracle WebLogic CVE-2024-21182 to its KEV catalog as exploited in the wild. Data can be read without login; the fix shipped July 2024. What to check now.
Makoto Horikawa
Backend Engineer / AWS / Django
CISA added Oracle WebLogic CVE-2024-21182 to its KEV catalog as exploited in the wild. Data can be read without login; the fix shipped July 2024. What to check now.
A flaw that lets attackers read stored data without logging in (CVE-2024-21182) has been confirmed in active use against "Oracle WebLogic Server," the business-server software that quietly powers bank core systems, government back offices, and manufacturing production control. On June 1, 2026 (US time), the US agency CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and ordered federal agencies to remediate by June 4.
The fix itself shipped back in July 2024. The problem is that servers left unpatched and exposed remained, and about a year and a half later, real attacks were finally observed. This article walks through what the flaw is, whether you are affected, and what to do now.
The flaw at a glance
First, the key facts. The CVSS score (an international 0–10 severity scale) is 7.5—not the top tier—but on one point the priority is highest: it is already being used in attacks.
| Item | Detail |
|---|---|
| CVE ID | CVE-2024-21182 |
| Product | Oracle WebLogic Server 12.2.1.4.0 / 14.1.1.0.0 |
| Flaw type | Unauthenticated data read (disclosure) |
| Severity | CVSS 7.5 (High) |
| Login | Not needed (anyone) |
| Exploitation | Confirmed (on CISA KEV) |
| Fix | Shipped in July 2024 CPU |
"Unauthenticated" means the attack works without logging in. "Information-disclosure" means it does not fully take over the server, but reads the data the server can touch from outside. Even so, banking records or personal data can be read wholesale—not something to take lightly.
When hands reach the foundation through the front door: what gets taken first
What makes this flaw dangerous is that it reaches the contents of a business server directly, slipping past the login wall. The people who put a price on that entry point are initial-access brokers who harvest and resell break-in routes, ransomware crews that extort with stolen data, and nation-state hackers after financial, government, and manufacturing secrets. What they reach for is the very core of an organization: account and transaction records, names and addresses in resident registries, unreleased quarterly results, and production-line design values. The moment CVE-2024-21182 is triggered, the data the server can touch flows out without ever passing the login screen.
Stolen information does not stop at one step. Initial-access brokers sell the read path to ransomware operators for thousands to tens of thousands of dollars, and buyers use that data as a foothold for the next intrusion. Stolen account details and email addresses become tools for convincing fake invoices and partner-impersonation fraud, and one server's fall chains into the takeover of individual customers' and residents' accounts.
The cleanup falls on the IT department that runs the server, and on management. A personal-data breach triggers a duty to report to the Personal Information Protection Commission and notify the individuals, plus explanations to partners, damages, and lost trust. If a financial or government foundation stops, the impact reaches all of society. Whether you can patch now and close the externally open channels is what decides who carries that weight.
What WebLogic actually is
Oracle WebLogic Server is a "Java application server." It keeps an organization's custom business programs (written in Java) running, handles incoming requests, and talks to databases—the "execution foundation." Behind your browser or mobile app, this layer is doing the actual processing.
It is a commercial product from database giant Oracle. In Japan it has been built into financial, public-sector, and large-enterprise core systems through partners such as ITOCHU Techno-Solutions (CTC). Even now that the free Apache Tomcat is widespread, WebLogic remains the choice for core systems that cannot be allowed to stop.
In other words, it is a foundation quietly running near-social-infrastructure processing behind flashier services. Precisely because it goes unnoticed, it tends to keep running untouched for a long time—and to an attacker that makes it a high-value target likely to be old and exposed. This confirmed exploitation means that target is now being hunted for real.
Inside CVE-2024-21182: data read via T3 / IIOP
The flaw sits in WebLogic's Core component. Per Rapid7's analysis and NVD (the US vulnerability database), an attacker uses WebLogic's proprietary "T3" and "IIOP" channels to gain unauthorized access to the data the server can touch—no login and no user action required (CVSS vector AV:N/AC:L/PR:N/UI:N, with high confidentiality impact, C:H).
The key here is "T3" and "IIOP." These are channels WebLogic servers and Java clients use to talk internally; they almost never need to be open to the internet. NVD rates the attack complexity as low (AC:L), and allowing these channels to be reachable from outside is itself a danger sign. It is not a full server takeover, but as the "high" confidentiality rating shows, the important data inside can be read wholesale.
Affected are the Oracle-supported WebLogic Server 12.2.1.4.0 and 14.1.1.0.0. The fix shipped in Oracle's July 2024 quarterly patch (Critical Patch Update, CPU).
Why a "2024 flaw" is dangerous again now
There is a reason about a year and a half passed between the fix and confirmed exploitation. In December 2024, proof-of-concept (PoC) exploit code was published. With an attack recipe anyone could try in circulation, the bar to hunt down and hit unpatched servers dropped sharply.
Then on June 1, 2026, CISA added the flaw to KEV. KEV lists only vulnerabilities confirmed to have been used in real attacks, so the listing is not a mere advisory—it signals actual exploitation. Reporting indicates targeted scanning too, with large volumes of WebLogic-seeking probe traffic observed from a single source.
✓ Confirmed facts
- ✓CISA added CVE-2024-21182 to KEV and ordered federal agencies to remediate by June 4 (KEV dashboard)
- ✓The fix shipped in Oracle's July 2024 CPU, and PoC exploit code was published in December 2024 (source)
- ✓T3 and IIOP, the attack's entry channels, need not be open to the internet—they are internal-facing by design
? Unconfirmed at this time
- ?The concrete scale of damage in Japan — no Japan-specific official advisory was confirmed at the time of writing
- ?Which threat group is exploiting it — CISA published only the fact of exploitation, not the actor
The timeline so far
← Swipe to move
What IT departments should check now
The top priority is confirming whether the July 2024 patch is applied. If it is not, or you are unsure, apply it immediately. If you cannot patch right away, restrict T3 and IIOP traffic to internal sources only via the firewall as a stopgap. These channels need not be open to the internet, so just stopping external reach greatly narrows the attack surface.
Since exploitation is confirmed, checking for signs of an existing intrusion is essential. Review access logs and look for T3 or IIOP traffic from unfamiliar sources. If you do not run it directly but outsource to an SIer or cloud provider, asking about their response is the fastest route—confirm their patch schedule and, if needed, apply network-side access restrictions on your side.
Note that the same week, the other leading business server, IBM WebSphere, also disclosed new critical flaws. If you run both, also review the WebSphere critical flaws roundup. To track major vulnerabilities affecting widely used products in Japan, the KEV dashboard for tracking confirmed-exploited flaws and the 2026 first-half roundup of major vulnerabilities are useful.
FAQ
Q. It's a 2024 flaw—why is it dangerous again now?
A. The fix shipped in July 2024, but servers left unpatched and exposed remained, and on June 1, 2026, CISA confirmed real-world exploitation and added it to KEV. Now that attacks have actually begun, unpatched servers are at their most dangerous.
Q. Can this flaw let attackers take over the server?
A. CVE-2024-21182 is an "information-disclosure" flaw where data the server can touch is read without authentication (the CVSS vector shows confidentiality impact only). It is not a full server takeover, but banking or personal data can be exfiltrated wholesale, and that stolen data is used as a foothold for the next attack.
Q. How do I check whether my WebLogic is affected?
A. The affected versions are WebLogic Server 12.2.1.4.0 and 14.1.1.0.0. First confirm your running version and whether patches from July 2024 onward are applied. Also check that T3 and IIOP traffic is not reachable from the internet or untrusted networks.
Q. What is the stopgap if I can't patch right away?
A. Restrict T3 and IIOP traffic to internal sources only via firewall or network devices. Since these need not be exposed externally, cutting off the reach path alone goes a long way to preventing the attack. It is only a stopgap, though—patching is ultimately required.
Summary
Oracle WebLogic Server's CVE-2024-21182 lets attackers read server data without logging in. It was fixed back in 2024, but unpatched servers remained, and CISA has now confirmed real-world exploitation and added it to KEV. The severity number is 7.5, but with real attacks underway, the priority is highest. The affected versions are 12.2.1.4.0 and 14.1.1.0.0. First confirm the July 2024 patch status; if it is not applied, apply it immediately, and if you cannot in time, block external access to T3 and IIOP to close the entry point. The more an unglamorous foundation goes unnoticed, the more likely it is to sit old and exposed. Use this moment to take stock of your WebLogic version, patch status, and any externally open channels.