Critical Oracle WebLogic Server Vulnerability (CVE-2024-21182) Actively Exploited The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-21182, a critical vulnerability in Oracle WebLogic Server, to its Known Exploited Vulnerabilities (KEV) catalog on June 1, 2026, following confirmed in-the-wild exploitation. The flaw affects Oracle WebLogic Server, a widely deployed enterprise Java application server used in both cloud and on-premise environments. The vulnerability is classified as an unauthenticated remote code execution (RCE) flaw, allowing attackers to exploit it without authentication via WebLogic’s T3 or IIOP protocols, which are commonly used for internal application communication. Successful exploitation could enable threat actors to bypass authentication controls, access sensitive data, or fully compromise affected systems, potentially leading to lateral movement, data exfiltration, or deployment of malicious payloads such as web shells or remote access trojans. While no specific threat actors or ransomware groups have been publicly attributed to these attacks, security researchers warn that the vulnerability could be rapidly adopted in financially motivated campaigns, given WebLogic’s history as a frequent target in ransomware intrusion chains. CISA has mandated federal agencies to remediate the vulnerability by June 4, 2026, under Binding Operational Directive 22-01. Organizations are advised to apply Oracle’s official patches immediately or implement mitigation measures, such as isolating affected systems, restricting access to T3/IIOP protocols, and enforcing network segmentation. Continuous monitoring for unusual traffic patterns or unauthorized access attempts is also recommended to detect early signs of compromise. The incident highlights the ongoing risks posed by unpatched enterprise middleware and the need for proactive vulnerability management to defend critical infrastructure.