ForumsExploitsCISA KEV Alert: Oracle WebLogic CVE-2024-21182 Under Active Attack

CISA KEV Alert: Oracle WebLogic CVE-2024-21182 Under Active Attack

PhysSec_Marcus 6/2/2026 USER

Saw this hit the CISA KEV catalog this morning. CVE-2024-21182 is now officially confirmed to be under active exploitation. It's a high-severity flaw (CVSS 7.5) in Oracle WebLogic Server that allows unauthenticated, network-based attackers to seize control of the system.

From what I've gathered, the exploit chain leverages the T3 protocol or similar RMI channels. If you have WebLogic exposed on port 7001, you need to assume you are being probed right now.

Immediate Detection Strategy

Since this is network-accessible, start by hunting for unusual connections to the T3 port. Legitimate T3 traffic usually originates from application servers, not the wild internet.

You can use this simple bash one-liner to grep your WebLogic server logs for T3 protocol headers (look for t3 followed by protocol versions):

zgrep -h "t3" /var/log/weblogic/*.log* | awk '{print $1, $4, $7}' | sort | uniq -c | sort -nr


If you don't have logging for the protocol handshake, check your perimeter firewall logs for spikes on port 7001.

Mitigation

Obviously, patch now (Oracle Critical Patch Update). However, if you can't patch immediately, restrict the T3 protocol. You can do this via the WebLogic Console or by using setDomainEnv to block inbound connections to port 7001 from untrusted subnets.

Is anyone else noticing scanning activity for this specific CVE? The honeypots I monitor started seeing probes about 12 hours before the KEV listing went live.

WH
whatahey6/2/2026

We caught a wave of these hitting our external sensors last night. The payload attempts to invoke ldap:// calls to pull down a malicious JAR. If you're using a SIEM, I recommend hunting for outbound LDAP connections originating from your WebLogic hosts—this is a strong indicator of the deserialization attempt.

Here is a basic KQL query if you are using Sentinel:

DeviceNetworkEvents
| where RemotePort == 389 or RemotePort == 636
| where InitiatingProcessVersionInfoOriginalFileName contains "java"
| where Timestamp > ago(24h)
IA
IAM_Specialist_Yuki6/2/2026

Patching WebLogic in production is always a nightmare due to the required restarts, but disabling T3 is a solid temporary fix. Just be careful—legacy applications often rely on T3 for internal server communication. Before blocking it entirely, verify your dependencies.

You can validate if T3 is strictly required by checking your config.xml:

grep -A 5 'protocol="t3""' $DOMAIN_HOME/config/config.xml


If you see it listening on `0.0.0.0`, restrict it to localhost or specific management subnets immediately.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created6/2/2026
Last Active6/2/2026
Replies2
Views143