US Public Data LabU.S. public data, made readable
EN
日本語 English
High Known exploited (KEV) CVE-2024-21182

Oracle WebLogic Server vulnerability (CVE-2024-21182) — risk of data compromise without authentication

Oracle WebLogic Server Added to KEV Jun 1, 2026 Federal remediation due 2026-06-04

In Oracle WebLogic Server, an unauthenticated attacker with network access via the T3/IIOP protocols can compromise the server, leading to unauthorized access to critical data or to all accessible data. CISA listed it as known-exploited (KEV) (CVSS 7.5 High).

Key facts

  • CVE IDCVE-2024-21182
  • CVSS base score7.5 HIGH
  • CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Affected (vendor / product)Oracle WebLogic Server
  • ExploitationListed in CISA KEV (exploitation confirmed)
  • Remediation due2026-06-04 (U.S. federal civilian agencies, BOD 22-01)

Key points

  • WebLogic Server can be compromised via T3/IIOP without authentication
  • Success leads to unauthorized access to critical data (in some cases all data)
  • Fixed in Oracle's July 2024 Critical Patch Update. Listed in CISA KEV (CVSS 7.5 High)
  • Response: apply the relevant patch + keep T3/IIOP off the internet and restrict source addresses
  • Federal civilian remediation deadline was June 4, 2026

CVE-2024-21182 is a vulnerability in Oracle WebLogic Server (a Java EE / Jakarta EE application server) in which an unauthenticated attacker can compromise the server over the network via the T3 or IIOP protocols. Success leads to unauthorized access to the critical data WebLogic Server can reach, or to all of its accessible data.

WebLogic's management protocols T3/IIOP have repeatedly been abused as an attack entry point in the past. Carelessly exposing them to the internet is dangerous because they can be reached without authentication. CISA added it to the KEV catalog on June 1, 2026 with exploitation confirmed (Oracle's fix itself was already provided in the July 2024 Critical Patch Update).

Key response: apply the relevant patch based on Oracle's July 2024 Critical Patch Update (cpujul2024). In addition, network-side mitigations are effective — do not expose T3/IIOP to the internet, and restrict them to only the required source addresses. The federal civilian remediation deadline was June 4, 2026.

Why it matters

WebLogic runs in many core systems, and danger varies greatly with internet exposure. Beyond patching, the practical priorities are inventorying the exposure of T3/IIOP and restricting access.

FAQ

What is WebLogic?
Oracle's Java application server, widely used as the runtime platform for enterprise core systems and business applications.
What are T3/IIOP?
Communication protocols WebLogic uses. When exposed to the internet they tend to become an attack entry point reachable without authentication.
What should I do?
Apply the relevant patch from Oracle's July 2024 Critical Patch Update and minimize the exposure of T3/IIOP.

Related profiles

Sources (primary)

This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.

#Oracle#WebLogic#Java#Application server#Data breach

← Back to vulnerability alerts

Disclaimer: This site independently summarizes and classifies information based on official data sources. Always verify the latest and accurate information with the official sources. Content on finance, health, legal, and security is information, not advice. This site is not an official website of the U.S. government.