Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

WebLogic flaw revived as ransomware vector

4 min read
08:46UTC

CISA listed Oracle WebLogic CVE-2024-21182 on 1 June with a 22 June deadline. Honeypots have caught T3/IIOP exploitation since mid-May delivering Cobalt Strike, miners and Sodinokibi ransomware, despite Oracle patching the bug in January 2024.

TechnologyDeveloping
Key takeaway

A 2024 WebLogic patch nobody confirmed is now delivering Sodinokibi ransomware, with a 22 June federal deadline to remediate.

Oracle WebLogic Server CVE-2024-21182 entered CISA's Known Exploited Vulnerabilities (KEV) catalogue on 1 June 2026, carrying a CVSS 7.5 rating and a 22 June federal deadline 1. WebLogic is the enterprise Java application server embedded across financial, government and large-corporate estates, and the flaw lets an unauthenticated attacker compromise it through its T3 and IIOP protocols, the Java remote-invocation channels WebLogic exposes for application-tier traffic.

Oracle patched the bug in its January 2024 Critical Patch Update, yet honeypots have recorded scans and payloads on ports 7001 and 7002 since mid-May, delivering Cobalt Strike beacons, cryptocurrency miners and Sodinokibi (also known as REvil) ransomware 2. The 17-month gap between fix and weaponisation is the point: criminal crews reach for the patched estate nobody re-checked, not the freshly disclosed bug.

CISA gave WebLogic 21 days where the Linux and Android entries in the same batch got three, because patching middleware risks application downtime that agencies must schedule rather than rush. The KEV programme has run far tighter on perimeter gear: in May the PAN-OS cutoff landed four days before Oracle's rival Palo Alto shipped its own patch , setting a compliance obligation no remediation could meet. That a patched server now carries ransomware also echoes the FIRESTARTER finding, where a Cisco implant survived every update ; in both cases the assumption that a fix ends the exposure is the weak point. WebLogic's deadline at least leaves room to act, but only if the asset inventory reaches the application tier rather than stopping at the edge.

Deep Analysis

In plain English

Oracle WebLogic Server is enterprise middleware software that large companies and government agencies use to run their Java-based business applications. It has a remote-access feature called T3 and IIOP that allows different parts of an application to communicate, but attackers can exploit it to break in without a password. Oracle fixed this particular flaw in January 2024, but many organisations had not yet applied the fix by the time CISA added it to its urgent-action list on 1 June 2026. Honeypot sensors detected attackers scanning for vulnerable servers as early as mid-May, delivering Cobalt Strike (a hacking tool used to maintain access) and Sodinokibi ransomware, which encrypts victims' files and demands payment to restore them.

Deep Analysis
Root Causes

Oracle's quarterly Critical Patch Update cadence, releasing on the third Tuesday of January, April, July and October, creates a predictable 90-day minimum exposure window for any vulnerability discovered between releases. CVE-2024-21182's CVSS 7.5 score placed it below the threshold most enterprise vulnerability-management programmes use to trigger emergency out-of-band patching, meaning it entered the routine quarterly queue and was deprioritised against higher-CVSS items.

WebLogic's T3 and IIOP protocols serve legitimate Java Remote Method Invocation (RMI) traffic in enterprise middleware topologies, making blanket disablement operationally disruptive for large Java EE application estates in financial services and government. That dependency prevents the simple network-layer mitigation that would otherwise neutralise the exposure without a patch.

What could happen next?
  • Risk

    Unpatched WebLogic instances with ports 7001 or 7002 accessible from untrusted networks face near-certain exploitation given honeypot confirmation and Sodinokibi affiliate activity targeting this vector.

    Immediate · Assessed
  • Consequence

    The 17-month patch lag on a CVSS 7.5 flaw in critical-infrastructure middleware points to a systematic failure of EPSS-informed prioritisation; organisations should re-evaluate patch-triage thresholds for Java deserialization classes regardless of CVSS score.

    Short term · Assessed
  • Precedent

    CISA's KEV listing of a 17-month-old flaw with active Sodinokibi deployment signals willingness to list enterprise middleware CVEs regardless of age when honeypot confirmation emerges, potentially shortening the effective patch-mandate window for future Oracle CPU items.

    Medium term · Suggested
First Reported In

Update #6 · The 2024 patch that is breaking now

CISA· 7 Jun 2026
Read original
Causes and effects
This Event
WebLogic flaw revived as ransomware vector
A server-compromise flaw Oracle fixed two years ago is now an active ransomware entry point, with a 21-day federal deadline reflecting how much harder middleware is to patch than an edge appliance.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.