πŸ›‘οΈ SecOps

Oracle WebLogic CVE-2024-21182 Added to CISA KEV β€” Federal Deadline June 4 as Ransomware Payloads Observed

CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalogue on 1 June, citing confirmed active exploitation of the Oracle WebLogic Server unauthenticated remote attack vulnerability. Honeypot data shows attackers delivering Cobalt Strike beacons and ransomware payloads via the T3/IIOP protocol attack path. Federal civilian agencies must remediate by 4 June.

3 min read
#oracle#weblogic#cve-2024-21182#cisa-kev#ransomware#t3-protocol#iiop#java-deserialization#active-exploitation

CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalogue on 1 June 2026, approximately 18 months after Oracle patched the vulnerability in its January 2024 Critical Patch Update. The addition β€” combined with honeypot data from multiple threat intelligence vendors showing active Cobalt Strike and ransomware delivery via the vulnerability β€” confirms that the long tail of unpatched Oracle WebLogic Server deployments is under sustained attack.

Vulnerability Background

CVE-2024-21182 is an unauthenticated remote attack vulnerability in Oracle WebLogic Server affecting the T3 and IIOP protocols (CVSS 7.5). T3 (Thin Third party) and IIOP (Internet Inter-ORB Protocol) are Java RMI-based protocols used for EJB communication and remote administration in WebLogic β€” protocols that have been a recurring source of critical deserialization vulnerabilities in the platform for over a decade.

The vulnerability allows an unauthenticated attacker with network access to the WebLogic T3/IIOP port (typically TCP 7001) to execute arbitrary code on the WebLogic server. Exploitation does not require valid WebLogic credentials.

Affected versions (per Oracle CPU January 2024):

  • Oracle WebLogic Server 12.2.1.4.0
  • Oracle WebLogic Server 14.1.1.0.0

Both versions are widely deployed in enterprise environments running Oracle Fusion Middleware, Oracle E-Business Suite, and custom enterprise Java applications.

Why KEV Addition After 18 Months?

The January 2024 patch was published, but a significant population of Oracle WebLogic deployments remained unpatched into 2026 β€” a pattern consistent with Oracle’s historically complex patch process. Oracle patches WebLogic exclusively through the quarterly Critical Patch Update (CPU) process, which requires comprehensive testing before deployment because of complex middleware dependencies. Organisations with large Oracle estates frequently lag one or more CPU cycles.

CISA’s KEV addition reflects that exploitation targeting this unpatched population has reached a threshold warranting federal directive. The specific triggering intelligence is confirmed delivery of post-exploitation payloads to production systems via CVE-2024-21182 exploitation.

Active Exploitation Details

Honeypot data collected through late May and early June 2026 shows:

Cobalt Strike deployment: The most common observed payload is a Cobalt Strike HTTP beacon, delivered via a deserialization gadget chain that leverages CVE-2024-21182 for initial code execution. The beacon establishes command-and-control to infrastructure associated with ransomware-affiliated initial access brokers.

Sodinokibi/REvil encryptor: At least two honeypot interactions delivered a Sodinokibi ransomware variant following Cobalt Strike beacon establishment, consistent with a multi-stage attack chain (initial access via CVE-2024-21182 β†’ Cobalt Strike β†’ hands-on-keyboard β†’ ransomware deployment).

The exploitation appears automated for the initial reconnaissance and CVE-2024-21182 delivery phase, with human-operated post-exploitation for the second-stage ransomware deployment.

Immediate:

  1. Identify all WebLogic Server instances in the environment: version 12.2.1.4.0 and 14.1.1.0.0 are affected
  2. Apply the Oracle CPU January 2024 patch (or a more recent CPU that includes it) to all affected instances
  3. Block TCP 7001 (T3/IIOP) at the perimeter if internet-facing WebLogic access is not required β€” most enterprise WebLogic deployments should not have T3/IIOP exposed to the internet

If T3/IIOP must be internet-accessible:

  • Implement WebLogic connection filters to restrict T3/IIOP access to authorised source IPs
  • Configure WebLogic to use T3S (T3 over SSL) β€” unencrypted T3 is additionally a security risk independent of this CVE
  • Monitor WebLogic access logs for requests to T3/IIOP endpoints from unexpected sources

Detection: WebLogic exploitation via CVE-2024-21182 generates characteristic events in the WebLogic server log:

  • Unexpected EOF reading from [IP] for probing attempts
  • Java deserialization exceptions with unexpected class names (look for gadget chain class names like org.apache.commons.collections, ysoserial, com.sun.org.apache.xalan)
  • Unexpected process spawning from the WebLogic JVM process (child processes spawned by java on Linux, cmd.exe/powershell.exe child processes on Windows)

Share this article