CVE-2024-21182
Oracle WebLogic Server flaw (CVSS 7.5) allowing an unauthenticated attacker to compromise the server via the T3 and IIOP protocols.
Last refreshed: 7 June 2026 · Appears in 1 active topic
Why did criminals still exploit an Oracle WebLogic flaw patched 17 months earlier?
Timeline for CVE-2024-21182
WebLogic flaw revived as ransomware vector
Cybersecurity: Threats and Defences- What is CVE-2024-21182 and why is it dangerous?
- CVE-2024-21182 is a flaw in Oracle WebLogic Server that lets attackers compromise the server without a password by sending crafted requests through the T3 and IIOP protocols. Despite Oracle patching it in January 2024, attackers weaponised it 17 months later to deliver Cobalt Strike and Sodinokibi ransomware.Source: CISA KEV catalogue, The Hacker News
- Is my Oracle WebLogic Server vulnerable to CVE-2024-21182?
- If your WebLogic Server has not applied Oracle's January 2024 Critical Patch Update and ports 7001 or 7002 are reachable from untrusted networks, it is vulnerable. CISA confirmed active exploitation in mid-May 2026. Apply the CPU immediately and block T3/IIOP externally via network ACL as a short-term mitigation.Source: CISA BOD 22-01, Oracle CPU advisory
- Why did it take 17 months for WebLogic CVE-2024-21182 to be exploited after patching?
- The flaw's CVSS 7.5 score placed it below most enterprises' emergency-patch thresholds, so it entered routine quarterly queues competing against higher-scoring items. Ransomware affiliates specifically target the patched estate that organisations have deprioritised rather than chasing newly disclosed zero-days.Source: Rapid7 Vulnerability Research, CISA KEV analysis
- What ransomware was delivered through the Oracle WebLogic CVE-2024-21182 exploit?
- Honeypot telemetry confirmed Sodinokibi (also known as REvil) ransomware, Cobalt Strike beacons for persistent access, and Cryptocurrency miners were all delivered via T3/IIOP exploitation of unpatched WebLogic instances from mid-May 2026 onwards.Source: The Hacker News, CISA KEV advisory
Background
CVE-2024-21182 is an unauthenticated server-compromise vulnerability in Oracle WebLogic Server, exploitable via the T3 and IIOP Java remote-invocation protocols on ports 7001 and 7002. Oracle patched it in the January 2024 Critical Patch Update, but the flaw's CVSS 7.5 score placed it below most enterprises' emergency-patch thresholds, leaving it in routine quarterly queues. CISA added it to the Known Exploited Vulnerabilities catalogue on 1 June 2026 with a 22 June federal deadline after honeypots recorded active exploitation from mid-May 2026 delivering Cobalt Strike beacons, Cryptocurrency miners and Sodinokibi ransomware onto compromised WebLogic hosts.
WebLogic's T3 and IIOP channels serve legitimate Java RMI traffic in enterprise middleware stacks, making blanket disablement operationally disruptive for financial-services and government environments that host Java EE applications on WebLogic. That dependency prevented the simple network-layer mitigation that would otherwise neutralise the exposure without a patch, contributing to a 17-month lag between Oracle's fix and active ransomware deployment. Rapid7 documented CVE-2024-21182 as part of a recurring chain through port 7001, following CVE-2020-14882, CVE-2021-2109, and CVE-2023-21839.
The 17-month dwell between patch and weaponisation illustrates the structural pattern the June 2026 KEV batch exposed: the attack surface under pressure is the legacy estate rather than the zero-day frontier. Sodinokibi (REvil) affiliates reached for a confirmed-patched Oracle flaw because enterprise middleware patching follows a slower cadence than web-tier software. The CISA 22 June deadline, longer than the three days given to the Linux cgroups entry in the same batch, encodes the triage logic: middleware dependencies in regulated sectors earn scheduling grace at the cost of a wider exposure window.