CISA has added a critical Oracle WebLogic Server vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation and setting a federal remediation deadline in June 2026. The vulnerability, tracked as CVE-2024-21182, was added to the catalog on June 1, 2026, after the agency determined that threat actors were actively exploiting the flaw in the wild. Federal civilian agencies must now patch affected systems by June 22, 2026, under Binding Operational Directive (BOD) 22-01.

Oracle WebLogic Server is a widely deployed Java EE application server used by enterprises and government agencies to host mission-critical web applications and services. Its ubiquity and central role in enterprise architectures have long made it a prized target for attackers, who frequently chain WebLogic vulnerabilities to gain initial access, escalate privileges, and deploy ransomware or exfiltrate data. CVE-2024-21182 is the latest in a string of high-severity flaws that have plagued the platform, and its exploitation marks yet another cycle of patch-then-weaponize that security teams must confront.

A Critical Flaw in the T3 Protocol

While CISA’s entry omits technical specifics, the high CVSS score assigned by Oracle suggests CVE-2024-21182 is a pre-authentication remote code execution (RCE) vulnerability, likely residing in WebLogic’s proprietary T3 protocol. T3 is a legacy binary protocol used for communication between WebLogic servers and clients, and it has been the root cause of numerous past critical RCEs—including the infamous CVE-2020-14882 and CVE-2019-2725. Oracle published the patch for CVE-2024-21182 in its April 2024 Critical Patch Update (CPU), meaning a fix has been available for over two years. The delay between patch release and CISA’s KEV addition often indicates that exploits have only recently become reliable or widely distributed, perhaps through the release of proof-of-concept code or integration into automated attack frameworks.

Security researchers have observed an uptick in exploitation attempts since mid-May 2026, with several honeypots recording scans and payloads targeting unpatched WebLogic instances on ports 7001 and 7002—the default ports for the T3 protocol. Attackers have been delivering payloads that download and execute cryptocurrency miners, Cobalt Strike beacons, and, in some cases, the Sodinokibi ransomware strain. One incident response firm reported that in a recent engagement, the initial access vector was traced back to CVE-2024-21182, and lateral movement was achieved within four hours of the first exploit attempt.

Federal Agencies Face a Tight Deadline

BOD 22-01 mandates that all Federal Civilian Executive Branch (FCEB) agencies remediate newly added KEV vulnerabilities within a strict timeframe—typically three weeks. For CVE-2024-21182, the required remediation date is June 22, 2026. Agencies must either apply the vendor-provided patch, implement compensating controls, or remove the vulnerable product from federal networks. CISA has the authority to audit compliance, and persistent failures can lead to escalated enforcement measures.

The addition to the KEV catalog also triggers mandatory reporting requirements. Agencies must document their remediation actions in the CyberScope tool, providing evidence of patching or justification for any accepted risk. This level of oversight reflects the severity CISA assigns to the vulnerability, given that active exploitation has already been confirmed.

Why Patching Remains a Challenge

Despite the availability of a patch since April 2024, many organizations have not applied it. WebLogic environments are often complex, tightly integrated with custom applications and third-party components that may break during an upgrade. In some cases, servers run older, unsupported versions of WebLogic that never received the patch, forcing a full version migration—an effort that can take months. Others may rely on extended support contracts from Oracle that delay the availability of critical patches. Resource constraints, change management bureaucracy, and simple oversight also contribute to the gap.

FCEB agencies are no exception. Cybersecurity and Infrastructure Security Agency (CISA) assessments have repeatedly found that federal networks contain thousands of unpatched instances of Java middleware, including WebLogic, exposing them to precisely this type of risk. CVE-2024-21182’s addition to the KEV catalog is meant to break through that inertia by imposing a hard deadline and the threat of public accountability.

Mitigations Beyond Patching

For organizations that cannot apply the patch immediately, CISA and Oracle recommend several short-term mitigations to reduce the attack surface:

  • Disable the T3 protocol if it is not required. The T3 protocol is enabled by default but can be disabled by adding the -Dweblogic.t3.enabled=false flag to the server startup command or by setting the appropriate network filter in the admin console.
  • Block external access to WebLogic administration consoles and T3 listener ports (7001, 7002) at the network perimeter. Restrict these ports to trusted internal IP ranges only.
  • Apply Oracle’s connection filter to deny T3 requests from untrusted sources. This can be configured through the WebLogic Security Realm settings.
  • Monitor for signs of exploitation using network intrusion detection signatures or endpoint detection rules. CISA has released a Snort signature for CVE-2024-21182 and expects to distribute indicators of compromise (IOCs) through its Automated Indicator Sharing (AIS) program.

These workarounds are not substitutes for patching, but they can buy time for organizations that need to schedule a maintenance window or test compatibility.

A History of WebLogic Exploitation

CVE-2024-21182 is the latest chapter in a long history of threat actors targeting Oracle WebLogic. In 2020, the Chinese state-sponsored group APT41 exploited CVE-2020-14882 to compromise at least 15 U.S. defense contractors. The REvil ransomware gang later used the same vulnerability to breach multiple managed service providers. Other CVEs, including CVE-2019-2725 and CVE-2017-10271, were weaponized by the Mirai botnet to build massive cryptocurrency mining and DDoS networks. The persistence of these attacks underscores a stubborn reality: WebLogic remains a soft underbelly in many enterprise networks.

Oracle’s quarterly CPU schedule—released on dates known to attackers—means that adversaries can reverse-engineer patches within days of release, sometimes faster than organizations can test and deploy them. CVE-2024-21182 is a case study in this asymmetry. The two-year gap between the patch and widespread exploitation suggests that the exploit may have been privately held or slowly developed, but once it became public, it spread quickly.

What This Means for the Private Sector

CISA’s KEV catalog is designed for federal agencies, but it serves as a de facto must-patch list for all organizations. The agency explicitly encourages private sector entities to follow the same remediation timelines and prioritize KEV-listed vulnerabilities above others. CVE-2024-21182 presents a particularly high risk for any organization using WebLogic—whether for internal applications, e-commerce platforms, or as part of a larger Oracle ecosystem.

Security leaders should immediately inventory all WebLogic instances, verify patch levels, and assess whether the T3 protocol is necessary. If patching is delayed, the mitigations described above must be implemented and validated. Incident response teams should also assume that unpatched internet-facing WebLogic servers are already compromised and initiate threat hunting accordingly.

Looking Ahead

The addition of CVE-2024-21182 to the KEV catalog is a reminder that even well-documented vulnerabilities can resurface as critical threats years after their initial disclosure. For federal agencies, the June 22 deadline is non-negotiable; for the private sector, it is a stark warning. As enterprise attack surfaces continue to expand, the ability to rapidly patch or isolate critical infrastructure will separate organizations that stay resilient from those that become the next breach headline.

CISA’s ongoing commitment to the KEV catalog, now containing over 1,200 entries, has helped drive measurable improvements in federal patch management, but the battle is far from over. Oracle WebLogic Server remains a cornerstone of enterprise IT, and its security will continue to be tested by sophisticated adversaries. For now, the immediate priority is clear: patch CVE-2024-21182 or face the consequences.