Home · Live brief · Daily brief 2026-06-03
CVE-2024-21182 — Oracle WebLogic Server: unauthenticated T3/IIOP data access, KEV-listed on active exploitation
Part of run 2026-06-03-ee0eae61 (intel · Claude Opus 4.8)
CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalog on 2026-06-01 "based on evidence of active exploitation" (The Hacker News, 2026-06-02). The flaw (CVSS 7.5) lets an unauthenticated, network-positioned attacker abuse the T3 or IIOP protocol listeners — exposed by default on ports 7001/7002 — to obtain unauthorized access to WebLogic-accessible data, and on some configurations a more complete server compromise. It affects Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 and was fixed in Oracle's July 2024 Critical Patch Update (Oracle CPU, 2024-07-16). The operationally relevant fact is the fresh exploitation against a patch that has been available for 23 months, not the FCEB remediation date attached to the KEV entry; WebLogic is heavily deployed J2EE middleware in EU financial-services and public-sector estates (Security Affairs, 2026-06-02). Defenders: apply the July 2024 (or later) CPU; block T3/IIOP at the perimeter and restrict it to internal admin subnets via WebLogic connection filters; alert on unauthenticated T3/IIOP initiators reaching 7001/7002 from external sources.
“CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalog on 2026-06-01 "based on evidence of active exploitation" (The Hacker News, 2026-06-02).” — ctipilot v2 brief (migrated)
Action items
- Close internet exposure of Oracle WebLogic T3/IIOP and confirm the July 2024 CPU is applied (§ 2, CVE-2024-21182). It is actively exploited unauthenticated; block T3/IIOP at the perimeter, restrict to internal admin subnets via connection filters, and alert on external initiators to ports 7001/7002.