CISA Flags 2-Year-Old Oracle WebLogic Vulnerability as Actively Exploited

A patch that should have retired an Oracle WebLogic vulnerability two years ago is now the reason CISA is sounding an emergency alarm.

After confirming active exploitation of a previously patched vulnerability, CVE-2024-21182, the Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities (KEV) catalog.

By making this designation, CISA has signaled that the vulnerability has moved from a potential risk to an active threat requiring immediate attention.

According to Oracle, the vulnerability affects Oracle WebLogic servers running on two specific versions and allows any unauthenticated attacker to gain remote access through exposed T3 and IIOP protocols. Upon successfully exploiting this vulnerability, attackers can gain full access to all data accessible through the server.

Although Oracle issued a patch for it in July 2024, several systems remain unpatched, creating an entry point for the recently observed exploitation of this flaw.

CISA’s KEV listing places it among high-priority threats with urgent remediation requirements for all federal agencies, and as a broader call for the private sector to patch their vulnerable, unpatched servers.

Unpacking the WebLogic Server vulnerability

Oracle WebLogic Server is an enterprise-grade Java application server used to deploy and handle demanding applications for large-scale business or government systems. In practice, it sits at the core of many applications, handling requests, processing logic, and connecting to critical databases.

CVE-2024-21182 reportedly affects WebLogic versions 12.2.1.4.0 and 14.1.1.0.0, and allows unauthenticated, low-privilege threat actors to gain remote access through exposed T3 and IIOP protocols. These two protocols are used on the server for Remote Method Invocation (RMI), a mechanism that allows Java programs to communicate with different endpoints.

Because these protocols allow the server to be internet-facing and always reachable, threat actors can exploit the flaw to gain a direct foothold in its connected environments. Access to internal data could further open the door to multiple cyberattacks, underscoring how severe this vulnerability can be.

Even with a high CVSS base scor

e of 7.5 and Oracle’s July 2024 fix, CISA’s latest alert shows that two years after the fix’s release, many organizations have yet to apply it. That delay has left the vulnerability exposed well beyond its intended lifecycle.

According to Shodan, over 1,592 Oracle WebLogic servers remain vulnerable to exploitation of this flaw: 961 of them still run on version 12.2.1.4.0, while 631 are on version 14.1.1.0.0.

Must-read security coverage

• UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
• Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
• How GitHub Is Securing the Software Supply Chain
• 8 Best Enterprise Password Managers

What organizations using exposed WebLogic servers should do now.

CVE-2024-21182 is already confirmed to be exploited in the wild. That carries weight because noncompliance implies an open invitation to threat actors actively seeking vulnerable systems.

In its alert, CISA warns that the flaw “poses significant risks to all federal agencies using the vulnerable servers.” It has also urged “all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice.”

Federal agencies have until June 4 to patch their WebLogic servers using guidelines provided by Oracle, under the mandate of the Binding Operational Directive 22-01.

The short deadline indicates how seriously CISA is taking this vulnerability.

Also read: A CISA contractor’s public GitHub repository exposed AWS GovCloud credentials and internal files, raising fresh questions about secret handling.