CISA flags two-year-old Oracle flaw as actively exploited in attacks

CISA FLAGS TWO-YEAR-OLD ORACLE FLAW AS ACTIVELY EXPLOITED IN ATTACKS

IntroductionThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has moved to tighten defenses around Oracle WebLogic Server after confirming that a high-severity vulnerability, patched more than two years ago, is now being actively exploited in attacks. The vulnerability, tracked as CVE-2024-21182, poses a significant risk to organizations relying on WebLogic as middleware for large, multi-tier applications. The agency has directed government agencies to address the flaw and has urged broader network defenses to do the same in light of ongoing exploitation.

Vulnerability Snapshot

ID and impact: CVE-2024-21182 is a remote, unauthenticated vulnerability that can be triggered by threat actors with no privileges, enabling attackers to access data or take control of affected systems.
Affected products and versions: Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0 are susceptible.
Exploitation characteristics: Attacks can be carried out over standard network protocols, with initial access achievable through existing server interfaces, making exploitation relatively straightforward for malicious actors.
Consequences: Successful exploitation can lead to unauthorized access to sensitive data or full compromise of all data accessible by the WebLogic Server.

Affected Versions and Exposure

Oracle WebLogic Server is widely deployed as middleware for enterprise-grade applications. The vulnerability’s impact is heightened by the fact that patches were released in July 2024, but many instances remained exposed or unpatched in the following years.
Internet exposure: The online threat landscape shows a sizable footprint of potentially vulnerable systems:
Approximately 1,592 Oracle WebLogic Server instances were observed as exposed online and potentially vulnerable to CVE-2024-21182 exploits.
Of these, about 961 instances were running version 12.2.1.4.0 and 631 instances were running version 14.1.1.0.0.
Visual context: The exposure picture illustrates multiple instances reachable over the internet, underscoring the risk of remote exploitation for unpatched servers.

Regulatory Response and Deadlines

Known exploited vulnerability catalog: On June 1, 2026, CISA added CVE-2024-21182 to its Known Exploited Vulnerabilities Catalog, signaling its active use in real-world attacks.
Federal directive and timing: Under Binding Operational Directive (BOD) 22-01, federal agencies were ordered to patch affected WebLogic servers by midnight on June 4, 2026.
Private sector guidance: While BOD 22-01 targets government networks, CISA emphasized that defenders in the private sector should patch as soon as feasible given the ongoing exploitation.

Context Within a Wider Vulnerability Landscape

Related Oracle advisories: In October of the prior year, CISA directed patches for an unauthenticated server-side request forgery (SSRF) vulnerability in Oracle E-Business Suite (CVE-2025-61884) after flagging it as actively exploited.
Recent Oracle updates: In March, Oracle released an out-of-band security update to address a critical unauthenticated remote code execution vulnerability (CVE-2026-21992) in Identity Manager and Web Services Manager. Oracle did not share specific exploitation status when queried.
Long-term trend: Over several years, CISA has flagged dozens of Oracle vulnerabilities as exploited in the wild, with a subset linked to ransomware operations. The ongoing pattern highlights the persistent risk posed by exploited flaws even after patches have been issued.

Practical Takeaways from the Current Advisory

Patch urgency: The convergence of active exploitation, broad exposure, and the federal mandate underscores the need for timely remediation of vulnerable WebLogic deployments.
Risk surface awareness: The fact that a two-year-old flaw remains a viable attack vector demonstrates how quickly threat actors can opportunistically leverage known weaknesses whenever systems are left unpatched.
Monitoring and defense alignment: Organizations should align monitoring and incident response to detect indicators of CVE-2024-21182 exploitation and validate that exposed WebLogic instances are isolated or properly secured.

Summary Context

The vulnerability’s ease of exploitation and the scale of exposure have elevated its status from a stationary risk to an active threat in the wild.
The combination of federal action and broad guidance serves as a reminder that even well-established enterprise platforms require ongoing vigilance, especially when patches exist but are not universally applied.

ConclusionCISA’s actions reflect a broader prioritization of actively exploited vulnerabilities in critical infrastructure software. CVE-2024-21182 in Oracle WebLogic Server serves as a case study in how patches, exposure, and governance intersect to shape defensive priorities. As threat actors continue to capitalize on known weaknesses, organizations—federal and private alike—are reminded to incorporate timely vulnerability management as a core element of their cybersecurity posture.

CISA FLAGS TWO-YEAR-OLD ORACLE FLAW AS ACTIVELY EXPLOITED IN ATTACKS

Vulnerability Snapshot

ID and impact: CVE-2024-21182 is a remote, unauthenticated vulnerability that can be triggered by threat actors with no privileges, enabling attackers to access data or take control of affected systems.
Affected products and versions: Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0 are susceptible.
Exploitation characteristics: Attacks can be carried out over standard network protocols, with initial access achievable through existing server interfaces, making exploitation relatively straightforward for malicious actors.
Consequences: Successful exploitation can lead to unauthorized access to sensitive data or full compromise of all data accessible by the WebLogic Server.

Affected Versions and Exposure

Oracle WebLogic Server is widely deployed as middleware for enterprise-grade applications. The vulnerability’s impact is heightened by the fact that patches were released in July 2024, but many instances remained exposed or unpatched in the following years.
Internet exposure: The online threat landscape shows a sizable footprint of potentially vulnerable systems:
Approximately 1,592 Oracle WebLogic Server instances were observed as exposed online and potentially vulnerable to CVE-2024-21182 exploits.
Of these, about 961 instances were running version 12.2.1.4.0 and 631 instances were running version 14.1.1.0.0.
Visual context: The exposure picture illustrates multiple instances reachable over the internet, underscoring the risk of remote exploitation for unpatched servers.

Regulatory Response and Deadlines

Known exploited vulnerability catalog: On June 1, 2026, CISA added CVE-2024-21182 to its Known Exploited Vulnerabilities Catalog, signaling its active use in real-world attacks.
Federal directive and timing: Under Binding Operational Directive (BOD) 22-01, federal agencies were ordered to patch affected WebLogic servers by midnight on June 4, 2026.
Private sector guidance: While BOD 22-01 targets government networks, CISA emphasized that defenders in the private sector should patch as soon as feasible given the ongoing exploitation.

Context Within a Wider Vulnerability Landscape

Related Oracle advisories: In October of the prior year, CISA directed patches for an unauthenticated server-side request forgery (SSRF) vulnerability in Oracle E-Business Suite (CVE-2025-61884) after flagging it as actively exploited.
Recent Oracle updates: In March, Oracle released an out-of-band security update to address a critical unauthenticated remote code execution vulnerability (CVE-2026-21992) in Identity Manager and Web Services Manager. Oracle did not share specific exploitation status when queried.
Long-term trend: Over several years, CISA has flagged dozens of Oracle vulnerabilities as exploited in the wild, with a subset linked to ransomware operations. The ongoing pattern highlights the persistent risk posed by exploited flaws even after patches have been issued.

Practical Takeaways from the Current Advisory

Patch urgency: The convergence of active exploitation, broad exposure, and the federal mandate underscores the need for timely remediation of vulnerable WebLogic deployments.
Risk surface awareness: The fact that a two-year-old flaw remains a viable attack vector demonstrates how quickly threat actors can opportunistically leverage known weaknesses whenever systems are left unpatched.
Monitoring and defense alignment: Organizations should align monitoring and incident response to detect indicators of CVE-2024-21182 exploitation and validate that exposed WebLogic instances are isolated or properly secured.

Summary Context

The vulnerability’s ease of exploitation and the scale of exposure have elevated its status from a stationary risk to an active threat in the wild.
The combination of federal action and broad guidance serves as a reminder that even well-established enterprise platforms require ongoing vigilance, especially when patches exist but are not universally applied.

CISA flags two-year-old Oracle flaw as actively exploited in attacks

More from the Blog

Google fixes one actively exploited Android zero-day, 124 flaws

Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks

WordPress malware campaign hides payloads in Steam profiles

Stay Updated

CISA flags two-year-old Oracle flaw as actively exploited in attacks

More from the Blog

Google fixes one actively exploited Android zero-day, 124 flaws

Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks

WordPress malware campaign hides payloads in Steam profiles

Stay Updated