thehackernews.com web signal

CISA mandates Oracle WebLogic patch by June 4

oracle cybersecurity ai-business

Key insights

  • CISA added CVE-2024-21182 to its KEV catalog on June 2, requiring Federal Civilian Executive Branch agencies to patch Oracle WebLogic by June 4.
  • The CVSS 7.5 flaw allows unauthenticated network access via T3 or IIOP protocols, potentially granting full access to all WebLogic-accessible data.
  • A related Oracle WebLogic flaw, CVE-2026-21962 with CVSS 10.0, faced automated exploitation after public exploit code appeared in March 2026.

Why this matters

WebLogic Server is widely deployed in enterprise and government environments, meaning confirmed active exploitation signals attackers are already inside some networks. The two-day federal patch window from June 2 to June 4 leaves almost no time for compatibility testing, raising the risk of service disruption from rushed deployments. The parallel emergence of CVE-2026-21962 at CVSS 10.0 indicates Oracle WebLogic is under sustained, escalating attack rather than opportunistic probing.

Summary

CISA added CVE-2024-21182 to its Known Exploited Vulnerabilities catalog on June 2, giving federal agencies until June 4 to patch Oracle WebLogic Server. The CVSS 7.5 flaw lets unauthenticated attackers reach WebLogic via T3 or IIOP and gain full access to server-accessible data. Oracle patched it in July 2024, but active exploitation is now confirmed. Essentially: (CISA, Oracle) are in reactive mode on a platform with a long record of abuse. - CVE-2026-21962 (CVSS 10.0) saw automated exploitation after public exploit code appeared in March 2026. - Prior WebLogic flaws have enabled botnet recruitment, cryptocurrency mining, and ransomware deployment. WebLogic's persistent targeting makes this a systemic exposure for any organization still running the platform.

Potential risks and opportunities

Risks

  • Federal agencies that miss the June 4 deadline risk CISA compliance enforcement and unauthorized access to critical government data via the T3 and IIOP attack path.
  • Organizations delaying patches risk WebLogic servers being recruited into botnets or used for cryptocurrency mining, consistent with documented prior WebLogic exploitation patterns.
  • CVE-2026-21962 (CVSS 10.0) is already under automated exploitation, meaning unpatched WebLogic deployments face compound risk from two active attack vectors simultaneously.

Opportunities

  • Vulnerability management and patch orchestration vendors gain urgency-driven budget conversations at federal agencies and contractors facing the June 4 compliance deadline.
  • Organizations running legacy Oracle WebLogic have a concrete compliance-risk argument to accelerate migrations to modern application server alternatives.
  • Managed security service providers specializing in government and critical infrastructure can leverage this KEV listing to expand continuous monitoring contracts with mid-market Oracle middleware users.

What we don't know yet

  • Attribution behind the active exploitation of CVE-2024-21182 remains undisclosed; no threat actor or campaign is named in public reporting.
  • Whether non-federal organizations running WebLogic have received comparable urgency guidance beyond the FCEB mandate is not addressed in the advisory.
  • The timeline of when CVE-2024-21182 exploitation began is unclear, given Oracle patched it in July 2024, suggesting potentially nearly two years of exposure before KEV listing.

Originally reported by thehackernews.com

Read the original article →

Original headline: CISA Adds Oracle WebLogic CVE-2024-21182 to Known Exploited Vulnerabilities After Active Exploitation — Federal Patch Deadline June 4, T3 and IIOP Protocols Enable Unauthenticated Network Compromise