HP Halting Problems Security research, supply chain threats, and systems risk.
♥ Help support the site
btc
bc1q3909urygy90qhytu32344ws0t5vy085y0h7xc8
eth
0x71faaDcAF2538e7346885F772FBAcb88740059A8
xmr
49PeCUfdgmG1ZMAzUxz2WFWiRDbDrycrJ8qYVfxBq6HWCHjk7uncaoESm7CRF5DtxcFgStuvyvcfUD3p4xU33F8dPep53MP
high Threat analysis

Oracle WebLogic Server CVE-2024-21182: KEV Authentication Bypass

CISA added Oracle WebLogic Server CVE-2024-21182 to its KEV catalog on 2026-06-01 due to active exploitation. This high-severity authentication bypass vulnerability allows unauthenticated attackers with network access via T3 or IIOP protocols to compromise the server and gain unauthorized access to critical data.

Published
Read time
5 min read
Sources
3
#oracle#weblogic#cisa-kev#authentication-bypass#zero-day
On this page 0% read

    Executive Summary

    CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalog on 2026-06-01, marking it as actively exploited CISA KEV. The affected product is Oracle WebLogic Server, a unified platform for developing, deploying, and running enterprise applications. The vulnerability is a high-severity authentication bypass flaw (CWE-287) that allows unauthenticated network attackers to compromise WebLogic Server over the proprietary T3 or IIOP protocols.

    A successful attack can lead to unauthorized access to critical data, credential theft, or complete takeover of the vulnerable WebLogic instances. The vulnerability affects supported versions 12.2.1.4.0 and 14.1.1.0.0. Oracle addressed the issue in the July 2024 Critical Patch Update (CPU) Oracle July 2024 CPU. Organizations exposing WebLogic T3/IIOP ports to the internet without applying the necessary CPU patches are at critical risk.

    Key Facts

    cve: "CVE-2024-21182"
vendor: "Oracle"
product: "WebLogic Server"
vulnerability: "Authentication bypass via T3 or IIOP protocols"
cwe: "CWE-287"
disclosed_date: "2024-07-16"
kev_added: "2026-06-01"
affected_packages:
  - "oracle-weblogic-server"
affected_versions: "12.2.1.4.0, 14.1.1.0.0"
fixed_version: "July 2024 CPU patches"
high_value_evidence:
  - "T3/IIOP access logs"
  - "Oracle July 2024 CPU advisory"

    Source Confidence & Evidence Mapping

    • confirmed: CISA added CVE-2024-21182 to the KEV catalog, verifying active exploitation in the wild CISA KEV.
    • confirmed: Oracle published a security advisory detailing the vulnerability as part of their July 2024 Critical Patch Update Oracle July 2024 CPU.
    • confirmed: NIST NVD indexes the vulnerability as a high-severity authentication bypass via T3 and IIOP NIST NVD.

    Impact Determination

    ClassificationCriteriaRequired evidenceHandling decision
    Confirmed compromiseSystem logs or network telemetry show successful unauthenticated T3/IIOP sessions originating from untrusted public IPs, followed by unauthorized command execution, file deployments, or modifications to WebLogic configuration.Network capture files showing T3/IIOP traffic payloads, WebLogic server access/audit logs, or unrecognized deployments in the WebLogic console.Isolate the server immediately, terminate all active T3/IIOP sessions, rotate all application and database credentials stored in WebLogic, and perform full system forensics.
    Presumed exposedWebLogic Server is running version 12.2.1.4.0 or 14.1.1.0.0, the T3/IIOP protocols are enabled, and July 2024 CPU patches have not been applied.WebLogic server version details and patch level inventory.Apply Oracle July 2024 CPU patches immediately; block external T3/IIOP traffic at network boundaries.
    Potentially exposedWebLogic Server is present in the network asset inventory but the exact patch level or T3/IIOP configuration status is unverified.Network scan results or software inventory logs.Run configuration audits to check T3/IIOP exposure and verify patch compliance.
    Not exposedWebLogic Server is verified to have July 2024 CPU (or later) patches applied, or the server does not expose T3/IIOP protocols to untrusted networks.Confirmed patch installation logs or network ACL configurations.No immediate action required.
    UnknownDevice configuration, software versions, or patch logs are missing.Telemetry gaps in WebLogic server logging or asset inventory.Assume exposure and update WebLogic packages immediately.

    Timeline

    • 2024-07-16: Oracle discloses CVE-2024-21182 in the July 2024 Critical Patch Update.
    • 2026-06-01: CISA adds CVE-2024-21182 to the Known Exploited Vulnerabilities catalog.
    • 2026-06-10: This threat post analysis is published.

    Technical Analysis

    Oracle WebLogic Server supports proprietary protocols like T3 and IIOP for remote administration and client communication. CVE-2024-21182 represents a serialization validation flaw (CWE-287) in the handling of these protocols. An attacker can craft a malicious serialization stream and send it via T3 or IIOP, bypassing authentication mechanisms.

    Because the WebLogic server deserializes the incoming connection request before properly authenticating the client, the attacker can hijack remote classes or perform JNDI injection. This allows them to execute arbitrary administrative actions or run remote code on the host server.

    Affected Assets and Blast Radius

    asset_selectors:
  - "oracle-weblogic-server"
highest_value_assets:
  - "Internet-exposed WebLogic servers terminating external T3 or IIOP sessions"
credentials_and_data_at_risk:
  - "Database credentials and application secrets stored in WebLogic datasources"
  - "Server administrative access and domain credentials"

    Indicators And Detection Selectors

    vulnerabilities: ["CVE-2024-21182"]
packages: ["oracle-weblogic-server"]
telemetry_selectors:
  - "T3"
  - "IIOP"
  - "weblogic"

    Detection and Hunting

    Script: local repository and exported telemetry scope

    #!/usr/bin/env python3
import os
import sys
import json
import subprocess
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-oracle-weblogic-cve-2024-21182-kev-scope"))
SINCE = "2026-06-01T00:00:00Z"
UNTIL = "2026-06-01T23:59:59Z"

PACKAGES = [
  "oracle-weblogic-server",
]
VERSIONS = [
]
FILES = [
]
DOMAINS = [
  "www.cisa.gov",
  "www.oracle.com",
  "nvd.nist.gov",
]
URLS = [
  "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
  "https://www.oracle.com/security-alerts/cpujul2024.html",
  "https://nvd.nist.gov/vuln/detail/CVE-2024-21182",
]
IPS = [
  "12.2.1.4",
  "14.1.1.0",
]
HASHES = [
]
PROCESS_PATTERNS = [
]
NETWORK_PATTERNS = [
]

# Positive signal: repository, lockfile, artifact, process, or network telemetry contains one of the exact incident selectors above.
# Escalation: any match tied to a production build, CI run, deployed asset, or secret-bearing host moves the asset to presumed exposed.

OUT.mkdir(parents=True, exist_ok=True)
indicators_file = OUT / "indicators.txt"

# Collect unique indicators
indicators = set()
for group in [PACKAGES, VERSIONS, FILES, DOMAINS, URLS, IPS, HASHES, PROCESS_PATTERNS, NETWORK_PATTERNS]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

    Sources

    1. CISA: KEV Catalog - Role: PRIMARY_RESEARCH - Impact: Active exploitation confirmation.
    2. Oracle: July 2024 CPU Advisory - Role: DIRECT_SOURCE - Impact: Official vulnerability disclosure and patch.
    3. NIST NVD: CVE-2024-21182 - Role: ENRICHMENT_DATA - Impact: Severity and categorization mapping.