CVE Tools

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

In plain language

AI Act now

CVE-2024-21182 is a WebLogic Server flaw that lets an attacker, without logging in, access sensitive data over the network; if you run Oracle WebLogic Server on the affected versions, you should treat this as urgent and patch quickly.

Executive summary

Unauthenticated network access to Oracle WebLogic Server via T3 or IIOP protocols can be abused to gain unauthorized access to sensitive data; this is confirmed in the CISA KEV catalog with active exploitation, so vulnerable instances should be remediated immediately (affected versions include 12.2.1.4.0 and 14.1.1.0.0).

If affected, business impact
Sensitive data exposureUnauthorized server accessService interruption riskCustomer trust damage

What to do now

  1. Check whether your systems use Oracle WebLogic Server version 12.2.1.4.0 or 14.1.1.0.0.
  2. If you’re on one of those versions, schedule an urgent upgrade/patch using Oracle’s July 2024 CPU remediation guidance (as referenced by Oracle security alerts).
  3. After applying the update, verify the WebLogic service is running the patched build and that the exposed ports/protocols are not reachable unless explicitly required.
  4. If you cannot patch immediately, implement the vendor-described mitigations promptly and restrict network reachability to reduce exposure.
  5. Confirm completion by reviewing access and error logs for suspicious connections over T3/IIOP-related network paths.
Patch / advisory Some work to apply

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:HI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:NIntegrity
None
A:NAvailability
None

Weaknesses

Affected Products

Oracle Corporation
commercial·USaka Oracle Corp., oracle
and 2 more affected products View all →

Exploitability

CISA Known Exploited Vulnerability
Added to KEV:Jun 1, 2026
Remediation due:Jun 4, 2026

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Official Patch Available

References

and 3 more references View all →
4

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2024-21182 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows