Oracle WebLogic Server CVE-2024-21182: KEV Authentication Bypass

Suspected
Discovered Jun 1, 2026

CISA added Oracle WebLogic Server CVE-2024-21182 to its KEV catalog on 2026-06-01 due to active exploitation. This high-severity authentication bypass vulnerability allows unauthenticated attackers with network access via T3 or IIOP protocols to compromise the server and gain unauthorized access to critical data.

0
Affected Packages
0
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script

Analysis

Executive Summary

CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalog on 2026-06-01, marking it as actively exploited CISA KEV opens in a new tab. The affected product is Oracle WebLogic Server, a unified platform for developing, deploying, and running enterprise applications. The vulnerability is a high-severity authentication bypass flaw (CWE-287) that allows unauthenticated network attackers to compromise WebLogic Server over the proprietary T3 or IIOP protocols.

A successful attack can lead to unauthorized access to critical data, credential theft, or complete takeover of the vulnerable WebLogic instances. The vulnerability affects supported versions 12.2.1.4.0 and 14.1.1.0.0. Oracle addressed the issue in the July 2024 Critical Patch Update (CPU) Oracle July 2024 CPU opens in a new tab. Organizations exposing WebLogic T3/IIOP ports to the internet without applying the necessary CPU patches are at critical risk.

Key Facts

Cve: CVE-2024-21182

Vendor: Oracle

Product: WebLogic Server

Vulnerability: Authentication bypass via T3 or IIOP protocols

Cwe: CWE-287

Disclosed Date: 2024-07-16

Kev Added: 2026-06-01

Affected Packages:

  • oracle-weblogic-server

Affected Versions: 12.2.1.4.0, 14.1.1.0.0

Fixed Version: July 2024 CPU patches

High Value Evidence:

  • T3/IIOP access logs
  • Oracle July 2024 CPU advisory

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceHandling decision
Confirmed compromiseSystem logs or network telemetry show successful unauthenticated T3/IIOP sessions originating from untrusted public IPs, followed by unauthorized command execution, file deployments, or modifications to WebLogic configuration.Network capture files showing T3/IIOP traffic payloads, WebLogic server access/audit logs, or unrecognized deployments in the WebLogic console.Isolate the server immediately, terminate all active T3/IIOP sessions, rotate all application and database credentials stored in WebLogic, and perform full system forensics.
Presumed exposedWebLogic Server is running version 12.2.1.4.0 or 14.1.1.0.0, the T3/IIOP protocols are enabled, and July 2024 CPU patches have not been applied.WebLogic server version details and patch level inventory.Apply Oracle July 2024 CPU patches immediately; block external T3/IIOP traffic at network boundaries.
Potentially exposedWebLogic Server is present in the network asset inventory but the exact patch level or T3/IIOP configuration status is unverified.Network scan results or software inventory logs.Run configuration audits to check T3/IIOP exposure and verify patch compliance.
Not exposedWebLogic Server is verified to have July 2024 CPU (or later) patches applied, or the server does not expose T3/IIOP protocols to untrusted networks.Confirmed patch installation logs or network ACL configurations.No immediate action required.
UnknownDevice configuration, software versions, or patch logs are missing.Telemetry gaps in WebLogic server logging or asset inventory.Assume exposure and update WebLogic packages immediately.

Timeline

  • 2024-07-16: Oracle discloses CVE-2024-21182 in the July 2024 Critical Patch Update.
  • 2026-06-01: CISA adds CVE-2024-21182 to the Known Exploited Vulnerabilities catalog.
  • 2026-06-10: This threat post analysis is published.

Technical Analysis

Oracle WebLogic Server supports proprietary protocols like T3 and IIOP for remote administration and client communication. CVE-2024-21182 represents a serialization validation flaw (CWE-287) in the handling of these protocols. An attacker can craft a malicious serialization stream and send it via T3 or IIOP, bypassing authentication mechanisms. [1]

Because the WebLogic server deserializes the incoming connection request before properly authenticating the client, the attacker can hijack remote classes or perform JNDI injection. This allows them to execute arbitrary administrative actions or run remote code on the host server. [1]

Affected Assets and Blast Radius

Asset Selectors:

  • oracle-weblogic-server

Highest Value Assets:

  • Internet-exposed WebLogic servers terminating external T3 or IIOP sessions

Credentials And Data At Risk:

  • Database credentials and application secrets stored in WebLogic datasources
  • Server administrative access and domain credentials

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 1, 2026First seenFirst seen recorded for Oracle WebLogic Server CVE-2024-21182: KEV Authentication Bypass.nvd.nist.gov
Jun 1, 2026DiscoveryDiscovery recorded for Oracle WebLogic Server CVE-2024-21182: KEV Authentication Bypass.nvd.nist.gov
Jun 1, 2026DisclosureDisclosure recorded for Oracle WebLogic Server CVE-2024-21182: KEV Authentication Bypass.nvd.nist.gov
Jun 1, 2026Oracle WebLogic Server CVE-2024-21182: KEV Authentication BypassUnknownnvd.nist.gov

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Oracle WebLogic Server CVE-2024-21182: KEV Authentication Bypass?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabnvd.nist.gov

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Oracle WebLogic Server CVE-2024-21182: KEV Authentication Bypass?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-oracle-weblogic-cve-2024-21182-kev-scope"))


# Collect unique indicators
indicators = set()
for group in []:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
nvd.nist.govSecurity Researcher95%1CISA added Oracle WebLogic Server CVE-2024-21182 to its KEV catalog on 2026-06-01 due to active exploitation. This high-severity authentication bypass vulnerability allows unauthenticated attackers with network access via T3 or IIOP protocols to compromise the server and gain unauthorized access to critical data.
oracle.comSecurity Researcher95%1CISA added Oracle WebLogic Server CVE-2024-21182 to its KEV catalog on 2026-06-01 due to active exploitation. This high-severity authentication bypass vulnerability allows unauthenticated attackers with network access via T3 or IIOP protocols to compromise the server and gain unauthorized access to critical data.
cisa.govSecurity Researcher95%1CISA added Oracle WebLogic Server CVE-2024-21182 to its KEV catalog on 2026-06-01 due to active exploitation. This high-severity authentication bypass vulnerability allows unauthenticated attackers with network access via T3 or IIOP protocols to compromise the server and gain unauthorized access to critical data.