ON 1 June 2026 the Cybersecurity and Infrastructure Security Agency added CVE‑2024‑21182 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Oracle WebLogic Server and is described as an unspecified vulnerability that could allow an unauthenticated attacker with network access via T3 or IIOP to compromise the server.
The vulnerability is classified as unspecified but is reachable through the T3 and IIOP protocols without authentication. Successful exploitation can lead to unauthorised access to critical data or, in the worst case, complete access to all data that the WebLogic Server instance can reach. NVD assigns it a CVSS v3.1 base score of 7.5, rating it HIGH. Oracle has released a patch, referenced in the July 2024 Critical Patch Update advisory.
CISA’s inclusion in the KEV catalogue indicates that active exploitation of CVE‑2024‑21182 has been observed in the wild. No public reports link this flaw to ransomware campaigns at present. Federal agencies must apply the required mitigations by 4 June 2026, the remediation deadline set by CISA.
CISA directs Federal Civilian Executive Branch agencies to apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of Oracle WebLogic Server if mitigations are unavailable. While the binding deadline applies only to FCEB entities, CISA advises all organisations to assess their exposure and implement the same protective measures.
For full technical details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2024-21182 and the CISA KEV catalogue.