TP-EXP-2024-0007 CVE-2024-21182 high Unknown AI Draft

Oracle WebLogic Server Unspecified Vulnerability (CVE-2024-21182)

CVE CVE-2024-21182 Platform Oracle WebLogic Server Type Unspecified Vulnerability

Severity HIGH

Status Unknown

Zero-Day Confirmed

Disclosed July 16, 2024

CISA KEV Listed

Severity Assessment

Exploitability: 8/10 — NVD describes CVE-2024-21182 as network-accessible, unauthenticated, and easily exploitable via T3/IIOP.
Impact: 8/10 — The vulnerability can enable unauthorized access to critical and potentially all accessible Oracle WebLogic data.
Weaponization Risk: 8/10 — CISA KEV adds a federal remediation deadline and required-action guidance, implying active exploitation monitoring and operational urgency.
Patch Urgency: 9/10 — This item is in CISA KEV and has a required remediation deadline for covered federal systems.
Detection Coverage: 4/10 — Public sources do not provide indicators of compromise, exploit payload patterns, or stable command indicators.

Summary

CVE-2024-21182 is an unspecified Oracle WebLogic Server vulnerability in core server components. NVD defines the affected products as Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 and reports a CVSS 3.1 base score of 7.5 (High) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

The vulnerability is marked in CISA’s Known Exploited Vulnerabilities catalog under the title “Oracle WebLogic Server Unspecified Vulnerability” and was added to KEV with a 2026-06-01 entry and 2026-06-04 remediation due date. CISA guidance indicates a required-action posture focused on mitigation, vendor instructions, and risk decisions for affected environments.

Oracle’s July 2024 CPU advisory page (cpujul2024) is the likely vendor reference for the underlying patch stream and disclosure context, and is linked to the same CVE context through NVD references.

Exploit Chain

Stage 1: Exposed service endpoint

Oracle WebLogic Core components remain exposed via standard management/application network entry points such as T3 and IIOP in operational deployments. The NVD description identifies network access as the attack route, with no authentication required.

Stage 2: Unauthenticated network access attempt

A remote actor with network access can attempt exploitation without valid credentials, targeting vulnerable versions listed by NVD.

Stage 3: Unauthorized access

Successful exploitation can result in unauthorized access to critical data and potentially complete access to data reachable through the affected WebLogic server.

Stage 4: Wider operational impact

While the public record does not expose a single fixed exploit recipe, successful compromise of WebLogic application and administrative trust boundaries raises the risk of unauthorized administration, data extraction, and broader lateral movement in connected enterprise services.

Detection Guidance

Network and endpoint monitoring:

Monitor internet-facing or internally exposed WebLogic endpoints for unusual T3/IIOP traffic and protocol anomalies.
Tighten allowlisting for WebLogic management ports and client protocols to reduce exposure.

Configuration controls:

Track whether servers run affected 12.2.1.4.0 or 14.1.1.0.0 builds and prioritize urgent patch/mitigation workflows.
Review transport restrictions and segmentation for any services exposing WebLogic public entry points.

Operational triage during suspected exploitation:

Watch for unexpected authentication bypass symptoms, unauthorized sessions, and abnormal administrative API behavior.
Validate process-level and file-level changes on WebLogic hosts after suspicious inbound request patterns.

Indicators of Compromise

The public sources for this vulnerability do not provide shared malware indicators, exploit file hashes, or actor-specific attribution for this KEV entry.

Behavioral investigation leads include:

Unscheduled spikes in T3/IIOP requests on WebLogic infrastructure.
Unusual access patterns from non-corporate addresses to WebLogic components.
New sessions with elevated data access behavior compared with normal baselines.
Sudden changes in WebLogic configuration or data access windows without change-management records.

Disclosure Timeline

2024-07-11 — Oracle publishes the July 2024 Critical Patch Update advisory stream (cpujul2024) containing related vulnerability references.
2024-07-16 — NVD records initial publication of CVE-2024-21182.
2026-06-01 — CISA KEV includes CVE-2024-21182.
2026-06-04 — CISA KEV remediation deadline for covered federal systems.

Sources & References

Cybersecurity and Infrastructure Security Agency: CISA KEV Catalog Feed (including CVE-2024-21182) — Cybersecurity and Infrastructure Security Agency, 2026-06-01
National Vulnerability Database: CVE-2024-21182 — National Vulnerability Database, 2024-07-16
Oracle: July 2024 CPU Advisory — Oracle, 2024-07-11