CVE-2024-21182 — Oracle WebLogic Server: unauthenticated T3/IIOP data access, KEV-listed on active exploitation
From CTI Daily Brief — 2026-06-03 · published 2026-06-03 · view item permalink →
CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalog on 2026-06-01 "based on evidence of active exploitation" (The Hacker News, 2026-06-02). The flaw (CVSS 7.5) lets an unauthenticated, network-positioned attacker abuse the T3 or IIOP protocol listeners — exposed by default on ports 7001/7002 — to obtain unauthorized access to WebLogic-accessible data, and on some configurations a more complete server compromise. It affects Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 and was fixed in Oracle's July 2024 Critical Patch Update (Oracle CPU, 2024-07-16). The operationally relevant fact is the fresh exploitation against a patch that has been available for 23 months, not the FCEB remediation date attached to the KEV entry; WebLogic is heavily deployed J2EE middleware in EU financial-services and public-sector estates (Security Affairs, 2026-06-02). Defenders: apply the July 2024 (or later) CPU; block T3/IIOP at the perimeter and restrict it to internal admin subnets via WebLogic connection filters; alert on unauthenticated T3/IIOP initiators reaching 7001/7002 from external sources.