CISA Warns Two-Year-Old Oracle Flaw Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive requiring federal agencies to patch a high-severity Oracle WebLogic Server vulnerability that was addressed two years ago but is now being actively exploited in real-world attacks. This development underscores the persistent threat posed by unpatched software, even after fixes have been available.

Oracle WebLogic Server functions as an enterprise-grade Java application server, commonly employed as middleware to support large-scale, multi-tier distributed applications. The specific flaw, cataloged as CVE-2024-21182, enables remote exploitation by threat actors who require no special privileges. These low-complexity attacks target systems running Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0.

When Oracle released security patches for CVE-2024-21182 in July 2024, the company described it as “easily exploitable,” allowing an unauthenticated attacker with network access via T3 or IIOP protocols to compromise the server. “Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data,” Oracle stated at the time.

According to the internet intelligence platform Shodan, more than 1,592 Oracle WebLogic servers remain exposed online and vulnerable to CVE-2024-21182 exploits. Of these, 961 are running version 12.2.1.4.0 and 631 are running version 14.1.1.0.0, highlighting the scale of the unpatched attack surface.

On Thursday, CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming its active use in attacks. As required by Binding Operational Directive (BOD) 22-01, federal agencies must patch their WebLogic servers by midnight on Thursday, June 4. While this directive applies strictly to government networks, CISA strongly urged all network defenders, including those in the private sector, to prioritize patching systems against ongoing CVE-2024-21182 attacks.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned. The agency instructed organizations to “apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

This is not the first time CISA has flagged Oracle vulnerabilities for urgent action. In October, the agency ordered federal agencies to patch an unauthenticated server-side request forgery (SSRF) vulnerability (CVE-2025-61884) in Oracle E-Business Suite after it was observed being actively exploited. More recently, in March, Oracle released an out-of-band security update to fix a critical unauthenticated remote code execution flaw (CVE-2026-21992) in Identity Manager and Web Services Manager. BleepingComputer reached out to Oracle for comment on its exploitation status, but the company declined to respond.

Over the past several years, CISA has identified 43 vulnerabilities across various Oracle products as exploited in the wild, with 12 of those leveraged in ransomware attacks. The repeated pattern underscores the importance of timely patching as a fundamental defense against persistent cyber threats.