[CDP-development] UPDATED: TLP: GREEN (Vulnerability Alert Notification) - CVE-2024-21182 - Oracle WebLogic Server Vulnerability

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Mon Jun 1 12:01:57 PDT 2026 

This is a critical update to our initial vulnerability alert sent on December 31, 2024. You will find the updates to the original email in red text below.

Good morning,

The State of Oregon SOC Services team is reporting on the vulnerability: CVE-2024-21182: Oracle WebLogic Server Vulnerability . Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On December 28, 2024, a proof-of-concept exploit was published for a vulnerability (CVE-2024-21182) in Oracle's WebLogic Server allowing for arbitrary code execution. The vulnerability is currently assigned a CVSS score of 7.5 (High). As of June 2026, multiple proof-of-concept exploits remain publicly available, and the vulnerability is widely recognized by security vendors as an active target for unauthorized access.

Affected Versions:

  *   Oracle WebLogic Server (Core) 12.2.1.4.0
  *   Oracle WebLogic Server (Core) 14.1.1.0.0

The patch for this CVE was addressed in Oracle's July 2024 Critical Patch Update advisory that can be found here: https://www.oracle.com/security-alerts/cpujul2024.html

Intelligence: A proof-of-concept exploit is available on github.com, however there is no evidence of proof of exploitation at the moment. As of June 1, 2026, this vulnerability has been officially added to the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming that it is being actively exploited in the wild.

Exploitability: Network
Complexity: Low
User Interaction: Not Required
Remotely Exploitable: Yes
Proof of Concept: Publicly Available
Zero Day: No
Workarounds: There are no workarounds for this vulnerability. Strict network-level access control (firewalling T3/IIOP protocols) is now considered a mandatory interim security measure while patching is underway.

How it works: This easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. The attack vector is network-based, requires low complexity, and needs no privileges or user interaction to exploit.

Post-Exploit: Upon successful exploitation of the vulnerability, an unauthenticated attacker could execute arbitrary code, which could allow access of sensitive data or potentially full access to all data accessible through the compromised server.

Indicators of Compromise (IoCs): Because this vulnerability targets core communication protocols (T3 and IIOP) rather than leaving specific "static" indicators like a single malicious file hash, the Indicators of Compromise (IoCs) for this vulnerability are primarily behavioral and network based.
Security teams should focus on identifying anomalous traffic patterns and unauthorized execution flows originating from the WebLogic process.

As of December 31, 2024, the following vulnerability plugin has been released and is currently in Tenable Security Center:

Plugin
Title
Severity
Platform
202722<https://www.tenable.com/plugins/nessus/202722>
Oracle WebLogic Server (July 2024 CPU)
Critical
Nessus

Recommended Actions:

Date Added to KEV Catalog: June 1, 2026
Due Date for Remediation: June 4, 2026

  *   Immediately prioritize remediation in accordance with the CISA KEV mandate.
  *   Verify host has not been compromised before applying patches.
  *   Apply latest updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Restrict Network access limiting exposure of T3 an IIOP protocols
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


EIS Security Operations Center
Enterprise Information Services
Cyber Security Services | CSS
SOC Hotline: (503) 378-5930
SOC at EIS.OREGON.GOV<mailto:SOC at EIS.OREGON.GOV>
[cid:image007.png at 01DCF1BD.92FF4C70] [cid:image006.png at 01DCF1BD.92FF4C70]




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260601/99b98322/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 32625 bytes
Desc: image006.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260601/99b98322/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 280765 bytes
Desc: image007.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260601/99b98322/attachment-0003.png>

More information about the CDP-development mailing list