Oracle WebLogic Server Unauthenticated Data Access via T3/IIOP Added to CISA KEV (CVE-2024-21182)

Scope: Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0

Severity: Red

CISA added CVE-2024-21182 to its Known Exploited Vulnerabilities catalog on June 1, 2026, nearly two years after Oracle patched the flaw in the July 2024 Critical Patch Update, confirming that a significant population of unpatched WebLogic instances remain in production and are under active attack. The vulnerability allows unauthenticated remote attackers with network access to the T3 or IIOP protocols, which are widely exposed in enterprise WebLogic deployments, to compromise the server and gain unauthorized access to all WebLogic-accessible data, consistent with the exploitation pattern seen in prior WebLogic flaws weaponized for botnet recruitment, cryptomining, and ransomware deployment. Federal agencies must remediate by June 4, 2026; all organizations should apply the July 2024 Oracle Critical Patch Update immediately, restrict T3 and IIOP protocol access to trusted internal networks only, and segment WebLogic servers from untrusted network zones.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.