Oracle WebLogic Server
Oracle WebLogic Server is an enterprise Java EE application server widely deployed in financial, government and large enterprise environments, exposing T3 and IIOP remote-invocation protocols on ports 7001 and 7002.
Last refreshed: 7 June 2026 · Appears in 1 active topic
How did a 17-month-old Oracle WebLogic patch become an active ransomware entry point in 2026?
Timeline for Oracle WebLogic Server
Exploited via T3 and IIOP protocols on ports 7001 and 7002 to deliver ransomware payloads
Cybersecurity: Threats and Defences: WebLogic flaw revived as ransomware vector- What is Oracle WebLogic Server used for?
- Oracle WebLogic Server is enterprise middleware that runs Java-based business applications across financial services, government, insurance and healthcare. It manages transaction processing, messaging, and connectivity between distributed application components, and is embedded in many large corporate and public-sector IT estates.Source: Oracle documentation
- What is CVE-2024-21182 in Oracle WebLogic?
- CVE-2024-21182 is a CVSS 7.5 vulnerability in Oracle WebLogic Server that allows an unauthenticated attacker to compromise the server through its T3 and IIOP remote-invocation protocols on ports 7001 and 7002. Oracle patched it in January 2024, but attackers began exploiting it in mid-2026, delivering ransomware and Cobalt Strike beacons to unpatched instances.Source: CISA / The Hacker News
- Why was the Oracle WebLogic CVE-2024-21182 not patched for 17 months?
- A CVSS 7.5 severity rating kept CVE-2024-21182 below the threshold most enterprise patch-management programmes use to trigger emergency remediation. It entered routine quarterly patch queues rather than emergency workflows, and patching WebLogic requires scheduled application downtime that organisations resist outside maintenance windows. The 17-month gap between Oracle's January 2024 fix and CISA's June 2026 mandate reflects this structural delay.Source: CISA / Rapid7
- How can I tell if my WebLogic server is vulnerable to CVE-2024-21182?
- Check whether you have applied Oracle's January 2024 Critical Patch Update and that ports 7001 and 7002 are not accessible from untrusted networks. Oracle WebLogic versions 12.2.1.4.0 and 14.1.1.0.0 were the primary affected versions. CISA's 22 June 2026 federal deadline applied to all US government agencies running WebLogic.Source: CISA KEV / Oracle CPU
- What ransomware was deployed via the Oracle WebLogic exploit in 2026?
- Attackers exploiting CVE-2024-21182 in mid-2026 delivered Sodinokibi (also known as REvil) ransomware, Cobalt Strike beacons for persistent access, and Cryptocurrency miners. Honeypots detected these payloads on WebLogic ports 7001 and 7002 from at least mid-May 2026, weeks before CISA's 1 June KEV listing.Source: The Hacker News / CISA
Background
Oracle WebLogic Server is Oracle's flagship enterprise Java application server, used to run Java EE business applications across financial services, insurance, government and healthcare. It exposes T3 and IIOP protocols — Java Remote Method Invocation channels — to allow application components to communicate across a network, a design that makes it powerful for distributed enterprise systems but creates an exploitable remote-access surface on ports 7001 and 7002.
In June 2026, CISA added CVE-2024-21182 (CVSS 7.5) to its Known Exploited Vulnerabilities catalogue, a flaw patched in Oracle's January 2024 Critical Patch Update that allows unauthenticated server compromise via T3 and IIOP. Honeypots had recorded active scans and payloads on ports 7001 and 7002 since mid-May 2026, delivering Cobalt Strike beacons, Cryptocurrency miners and Sodinokibi (REvil) ransomware. CISA set a 22 June federal deadline — a 21-day window rather than the three days given to Android and Linux entries in the same batch, reflecting that patching middleware requires scheduled downtime across enterprise application estates.
The CVE-2024-21182 incident continues a documented exploitation chain through WebLogic's T3/IIOP surface. Prior entries include CVE-2020-14882, CVE-2021-2109, and CVE-2023-21839, each weaponised via the same port-7001 pathway. The structural issue is that WebLogic's CVSS 7.5 rating sits below the threshold most enterprise patch-prioritisation frameworks use to trigger emergency patching, meaning it enters quarterly queues and is deprioritised against higher-CVSS items — leaving a 17-month gap between Oracle's fix and the CISA mandate.