CVE-2024-21182

What is Oracle WebLogic Server?

Oracle WebLogic Server is a leading Java EE application server used to build and deploy enterprise applications. It is widely deployed across financial services, government, healthcare, and critical infrastructure environments. Its network-facing management protocols — particularly T3 (Oracle's proprietary RMI-based protocol) and IIOP (Internet Inter-ORB Protocol) — have historically represented a high-value attack surface, having been exploited in numerous critical vulnerabilities over the past decade.

Overview

CVE-2024-21182 is an unauthenticated information disclosure vulnerability in the Core component of Oracle WebLogic Server, disclosed and patched in Oracle's July 2024 Critical Patch Update. An attacker with network access to the T3 or IIOP listener — no credentials required — can retrieve confidential data, potentially gaining complete read access to all data accessible by the WebLogic process. The vulnerability carries a CVSS 3.1 score of 7.5 (HIGH) and was added to the CISA Known Exploited Vulnerabilities catalog on June 1, 2026, confirming active exploitation in the wild.

Affected Versions

Technical Details

The vulnerability resides in WebLogic's Core component and is exploitable over the T3 and IIOP protocols, which are network-accessible on the default listen port (7001/TCP for HTTP/T3, 7002/TCP for TLS). Oracle's advisory intentionally withholds detailed technical specifics ("unspecified") to limit weaponization, but the CVSS vector characterizes the impact precisely:

• No authentication required — the attacker needs only network connectivity to the listener
• Low attack complexity — no race conditions, special configuration, or chained prerequisites
• Confidentiality: High — the attacker can read any data accessible to the WebLogic process, including credentials, session tokens, application data, and potentially database connection strings
• No integrity or availability impact — this is a read-only disclosure, not remote code execution

T3 and IIOP expose WebLogic's remote object registry, historically abused for deserialization attacks (CVE-2019-2725, CVE-2020-14882, and others). This vulnerability class exploits the same protocol surface but achieves data exfiltration rather than code execution, making it stealthier and harder to detect via conventional intrusion detection signatures.

Discovery

Oracle attributes the discovery internally as part of the July 2024 CPU. No independent researcher is credited in the public advisory.

Exploitation Context

The vulnerability was confirmed actively exploited and added to CISA's KEV catalog on June 1, 2026. Oracle WebLogic Server instances with T3 or IIOP exposed to untrusted networks are the primary risk. Publicly internet-facing WebLogic deployments number in the thousands according to Shodan telemetry, with a significant share running unpatched versions — a consistent historical pattern given Oracle's quarterly patch cadence and the complexity of patching in enterprise environments.

WebLogic's T3/IIOP attack surface has been a persistent target for cryptocurrency mining botnets (notably the 8220 Gang), ransomware operators, and nation-state actors. A read-only data disclosure vulnerability of this nature is particularly attractive for credential harvesting as a precursor to lateral movement or privilege escalation.

Remediation

1. Apply the July 2024 Critical Patch Update for your WebLogic version (12.2.1.4.0 or 14.1.1.0.0). Oracle patches are available through My Oracle Support.
2. Restrict T3/IIOP access — if external exposure is not required, block port 7001 and 7002 at the network perimeter and restrict T3/IIOP to trusted internal networks only using WebLogic's connection filter (weblogic.security.net.ConnectionFilter).
3. Disable IIOP if not required for your deployment — in the WebLogic Administration Console, navigate to Environment → Servers → [server name] → Protocols → IIOP and disable it.
4. Audit logs for anomalous T3/IIOP connections from unexpected source IPs, particularly targeting administrative ports.
5. Prioritize patching — CISA's June 4, 2026 BOD 22-01 deadline applies to federal agencies; all organizations should treat this with equivalent urgency given confirmed exploitation.