Back to Intelligence

CVE-2024-21182: Oracle WebLogic Server Active Exploitation — Detection and Remediation

SA
Security Arsenal Team
June 1, 2026
5 min read

CISA has added CVE-2024-21182, a critical security flaw affecting Oracle WebLogic Server, to its Known Exploited Vulnerabilities (KEV) Catalog. This addition is based on concrete evidence of active exploitation in the wild, signaling that threat actors are already leveraging this vulnerability to compromise federal enterprise networks and likely private sector targets.

Oracle WebLogic Server is a ubiquitous Java EE application server often hosting critical enterprise applications. Because these servers are frequently exposed to the internet to facilitate partner access or cloud operations, they are prime targets for initial access vectors. The inclusion of this CVE in the KEV Catalog pursuant to Binding Operational Directive (BOD) 22-01 underscores the severity of the risk; Federal Civilian Executive Branch (FCEB) agencies are required to remediate this issue by the specified deadlines, but private sector organizations should treat this with equal urgency.

Technical Analysis

Vulnerability Details:

  • CVE Identifier: CVE-2024-21182
  • Affected Product: Oracle WebLogic Server
  • Impact: Remote Code Execution (RCE) – While Oracle advisories often describe these technically as "unspecified vulnerabilities" to prevent reverse-engineering of patches, CISA's KEV listing and historical patterns for WebLogic indicate a high likelihood of RCE via network protocols (T3/IIOP or HTTP).
  • CVSS Score: Not explicitly stated in the CISA alert, but vulnerabilities added to the KEV catalog typically carry a CVSS v3 score of 7.0 or higher.
  • Exploitation Status: Confirmed Active Exploitation.

Attack Mechanics: WebLogic vulnerabilities typically involve deserialization of untrusted data or improper input validation via the T3, IIOP, or HTTP protocols. An attacker does not require authentication to exploit this class of vulnerability on vulnerable versions. The attack chain generally looks like this:

  1. Scanning: The attacker scans port 7001 (default HTTP) or 7002 (default HTTPS) and T3 ports to identify WebLogic instances.
  2. Payload Delivery: A malicious serialized object or specially crafted HTTP request is sent to the server.
  3. Deserialization/Execution: The server processes the payload, leading to the execution of arbitrary code under the context of the WebLogic service account.
  4. Persistence/Impact: The attacker may deploy webshells, malware, or perform lateral movement.

Detection & Response

Given the active exploitation status, security teams must assume compromise if vulnerable versions are exposed. The following detection rules focus on post-exploitation behaviors (process spawning) and network reconnaissance, as specific pre-exploitation traffic signatures may vary.

Sigma Rules

YAML
---
title: WebLogic Server Spawning Shell
id: 85b2b4a1-9c4d-4f3b-8a2e-1c5d6f7e8a9b
status: experimental
description: Detects WebLogic (Java) process spawning a shell or command interpreter, a common behavior post-exploitation for RCE vulnerabilities.
references:
 - https://www.cisa.gov/news-events/alerts/2026/06/01/cisa-adds-one-known-exploited-vulnerability-catalog
author: Security Arsenal
date: 2024/06/01
tags:
 - attack.execution
 - attack.t1059
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   ParentImage|endswith: '\java.exe'
   ParentCommandLine|contains: 'weblogic'
   Image|endswith:
     - '\cmd.exe'
     - '\powershell.exe'
     - '\pwsh.exe'
falsepositives:
 - Legitimate administrative debugging (rare)
level: high
---
title: Linux WebLogic Spawning Shell
id: 9c3d5e2a-0f1b-4a5c-9d6e-1f2a3b4c5d6e
status: experimental
description: Detects WebLogic on Linux spawning a shell process.
references:
 - https://www.cisa.gov/news-events/alerts/2026/06/01/cisa-adds-one-known-exploited-vulnerability-catalog
author: Security Arsenal
date: 2024/06/01
tags:
 - attack.execution
 - attack.t1059.004
logsource:
 category: process_creation
 product: linux
detection:
 selection:
   ParentImage|endswith: '/java'
   ParentCommandLine|contains: 'weblogic'
   Image|endswith:
     - '/bin/sh'
     - '/bin/bash'
     - '/bin/zsh'
falsepositives:
 - Legitimate administrative debugging
level: high


**KQL (Microsoft Sentinel)**
KQL — Microsoft Sentinel / Defender
// Hunt for WebLogic process spawning suspicious child processes
DeviceProcessEvents
| where InitiatingProcessFileName =~ "java.exe" or InitiatingProcessFileName == "java"
| where InitiatingProcessCommandLine contains "weblogic"
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "sh", "bash", "zsh")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName
| order by Timestamp desc


**Velociraptor VQL**
VQL — Velociraptor
-- Hunt for Java processes (WebLogic) spawning shells
SELECT Pid, Ppid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Pid IN (
    SELECT Ppid
    FROM pslist()
    WHERE Name =~ "sh" OR Name =~ "bash" OR Name =~ "cmd.exe" OR Name =~ "powershell.exe"
)
AND Name =~ "java"
AND CommandLine =~ "weblogic"


**Remediation Script (Bash)**
Bash / Shell
#!/bin/bash
# WebLogic CVE-2024-21182 Check and Harden Script
# Note: Always verify specific patch requirements in the Oracle advisory.

echo "Checking for WebLogic processes..."
WLS_PID=$(ps -ef | grep "[w]eblogic.Server" | awk '{print $2}')

if [ -z "$WLS_PID" ]; then
    echo "No running WebLogic Server instances found."
    exit 0
else
    echo "Found WebLogic Server running with PID: $WLS_PID"
fi

# Attempt to find WebLogic Home from environment or process
WLS_HOME=$(readlink -f /proc/$WLS_PID/cwd | sed 's\/user_projects\/.*$//')

if [ -d "$WLS_HOME" ]; then
    echo "Detected WebLogic Home: $WLS_HOME"
    # Check version in registry.xml or config.xml (simplified check)
    echo "--------------------------------------------------"
    echo "Action Required:"
    echo "1. Verify your version against the Oracle Advisory for CVE-2024-21182."
    echo "2. Download and apply the latest Critical Patch Update (CPU) from Oracle."
    echo "3. If patching is not immediately possible, restrict T3/IIOP access via firewall."
    echo "--------------------------------------------------"
else
    echo "Could not automatically determine WebLogic Home directory."
fi

# Network Hardening Check (Firewall)
echo "Checking for T3/IIOP exposure (Default ports 7001, 7002)..."
if netstat -tuln | grep -E ':7001|:7002' | grep LISTEN > /dev/null; then
    echo "WARNING: WebLogic is listening on default ports. Ensure T3/IIOP channels are disabled or restricted to trusted subnets."
else
    echo "WebLogic does not appear to be listening on default ports (or is not running as root)."
fi

Remediation

Immediate Actions:

  1. Patch: Apply the security patch referenced in the Oracle Critical Patch Update (CPU) advisory for CVE-2024-21182. This is the only guaranteed remediation.
  2. Network Isolation: If patching is delayed, restrict access to the WebLogic Server. Specifically, block the T3 and IIOP protocols at the network perimeter. These protocols are often used for exploitation but are rarely required for external HTTP/HTTPS access.
  3. Compromise Assessment: Run the detection queries above. If vulnerable versions were exposed to the internet, assume potential compromise and initiate forensic investigation.

Vendor Resources:

Deadline: Per Binding Operational Directive (BOD) 22-01, FCEB agencies must remediate this vulnerability by the date specified in the KEV catalog. We recommend all organizations remediate immediately due to active exploitation.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosureoracle-weblogiccve-2024-21182cisa-kev

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action