← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2024-21182 · Disclosed 2024-07-16

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a side door left on the loading dock, not a cannon through the front wall

CVE-2024-21182 is a pre-auth Oracle WebLogic Server flaw in the Core component that lets an unauthenticated attacker with network reachability over T3 or IIOP pull sensitive data from the server. Oracle lists affected versions as 12.2.1.4.0 and 14.1.1.0.0; the July 2024 CPU addressed it, with the 12c track publicly showing WLS STACK PATCH BUNDLE 12.2.1.4.240710 / WLS PATCH SET UPDATE 12.2.1.4.240704 as the relevant fixed train.

Oracle's 7.5/HIGH baseline is directionally right on technical impact, but reality is harsher because this is now KEV-listed with active exploitation and public PoC. The counterweight is real too: this is not generic HTTP reachability; the attacker needs exposure to WebLogic's T3/IIOP path, which materially narrows the reachable population in mature enterprises. Net: this stays HIGH, upgraded in urgency, not in bucket.

"KEV and public PoC make this urgent, but T3/IIOP reachability keeps it below CRITICAL."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable WebLogic endpoint

Attackers first identify Oracle WebLogic instances exposing the relevant listener path, typically over the default WebLogic channels where T3/T3S and sometimes IIOP ride. Public exposure exists, and recent reporting citing Shodan counted more than 1,500 internet-exposed vulnerable instances, but the real enterprise risk is broader because internal flat networks often expose these services east-west after initial access.
Conditions required:
  • Target runs Oracle WebLogic Server 12.2.1.4.0 or 14.1.1.0.0
  • Attacker can reach a WebLogic listener carrying T3 or IIOP
  • Host is unpatched for the July 2024 CPU or later
Where this breaks in practice:
  • Many orgs do not expose T3/IIOP directly to the internet
  • Segmentation, load balancers, and network channels often limit reachability
  • Some environments only expose HTTP(S) through reverse proxies, not native remoting protocols
Detection/coverage: Attack-surface tools and internet scanners will find exposed listeners; vulnerability scanners such as Nessus broadly flag July 2024 WebLogic CPU exposure, but protocol-specific exposure mapping is often better done with ASM or targeted port discovery.
STEP 02

Exercise the pre-auth protocol path

A public PoC exists in GitHub repositories attributed to k4it0k1d and kursadalsan, described as a WebLogic JNDI/T3 exploit path. The attacker sends crafted traffic over the remoting channel without needing credentials or user interaction.
Conditions required:
  • Untrusted traffic is allowed to reach the target listener
  • No authentication gate blocks the vulnerable code path
Where this breaks in practice:
  • NGFW rules, ACLs, or protocol-aware filtering can break the path before application handling
  • If T3/IIOP is disabled or bound only to trusted interfaces, exploitation dies early
Detection/coverage: Network telemetry can catch unusual T3/IIOP access from non-app peers; EDR is less useful at this stage unless the exploit chains into follow-on execution.
STEP 03

Read server-accessible data

Successful exploitation yields unauthorized access to critical data and, per Oracle, potentially all data accessible to that WebLogic server context. That is a serious outcome for middleware hosting identity, integration, or ERP-adjacent apps, even though Oracle did not assign integrity or availability impact in the CVSS vector.
Conditions required:
  • Target application context exposes valuable data through the compromised server process
  • The WebLogic service account has broad backend reach
Where this breaks in practice:
  • Blast radius is constrained by what that server can actually access
  • Tight DB permissions and segmented backend services sharply reduce payoff
Detection/coverage: Application logs, database audit logs, and unusual service-account data access are your best post-compromise clues; pure vuln scanners cannot validate impact.
STEP 04

Pivot from data access to wider compromise

Once a hostile actor is on the box logically, the usual next move is credential harvesting, config theft, or pivoting to adjacent middleware and databases. This CVE is not scored as RCE, so the pivot depends on what the application tier already exposes rather than a guaranteed server takeover primitive.
Conditions required:
  • Compromised server stores secrets, JDBC credentials, or admin material
  • Lateral movement paths exist from the app tier
Where this breaks in practice:
  • Secrets vaulting, least-privilege service accounts, and EDR materially reduce post-exploit value
  • A well-segmented app tier contains the incident to one domain or tenant
Detection/coverage: EDR and identity analytics should catch the follow-on behavior better than the initial vulnerability itself.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusConfirmed exploited via CISA KEV; current reporting says CISA added it on 2026-06-01 after evidence of active exploitation.
KEV datesKEV-listed with reporting of Date Added: 2026-06-01 and Due Date: 2026-06-04 in KEV mirrors consuming CISA data.
PoC availabilityPublic PoC exists; repos referenced include k4it0k1d/CVE-2024-21182 and kursadalsan/CVE-2024-21182.
EPSSUser-supplied EPSS is 0.89649; CIRCL EPSS data shows roughly 99th percentile risk. That lines up with a vuln actors actually care about, not just one scanners yell about.
CVSS vector meaningAV:N/AC:L/PR:N/UI:N is the dangerous part: remote, low-complexity, no-auth, no-user-click. The moderating part is C:H/I:N/A:N: Oracle scored this as data theft, not direct tamper or crash.
Affected versionsOracle lists Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 as affected.
Fixed trainOracle fixed it in the July 2024 Critical Patch Update. The 12c public patch train shows WLS STACK PATCH BUNDLE 12.2.1.4.240710 including WLS PATCH SET UPDATE 12.2.1.4.240704; for 14.1.1.0.0, use the July 2024 CPU or any later cumulative WLS patch.
Exposure realityRecent reporting citing Shodan counted 1,592 internet-exposed vulnerable WebLogic servers (961 on 12.2.1.4.0, 631 on 14.1.1.0.0). That is not mass-market scale, but it is plenty for opportunistic exploitation.
Protocol exposure nuanceOracle documentation explicitly warns against enabling T3 on channels accessible from outside Oracle Cloud. This is the key friction point: if your org only publishes HTTP(S) behind a proxy, this CVE is much less reachable.
Disclosure date2024-07-16 in Oracle's July 2024 CPU and NVD publication.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to HIGH (8.4/10)

The single biggest factor is active exploitation of a pre-auth bug with public PoC. The reason this stops short of CRITICAL is equally important: exploitation requires real-world reachability to T3/IIOP, which sharply narrows exposure compared with a plain internet-facing HTTP flaw.

HIGH Affected versions and protocol prerequisites
HIGH Active exploitation / KEV status
MEDIUM Exact fixed patch train for all 14.1.1.0.0 deployments outside Oracle support channels

Why this verdict

  • Vendor baseline starts at 7.5/HIGH because this is unauthenticated, remote, low-complexity access to sensitive data.
  • KEV + public PoC push the score up: this moved from theoretical to operational, and defenders should assume opportunistic scanning is already happening.
  • Reachability friction keeps it below CRITICAL: the attacker needs T3/IIOP access, which implies a smaller exposed population than generic web flaws and often means post-initial-access east-west exploitation in modern enterprises.
  • Impact is serious but not full-spectrum: Oracle scored confidentiality high, but integrity and availability are not part of the demonstrated baseline, so this is not the same class as unauthenticated WebLogic RCE.

Why not higher?

I am not calling this CRITICAL because the exploit path is not simple HTTPS to a login page; it depends on T3/IIOP reachability, which many mature environments intentionally suppress. Also, the published severity basis is unauthorized data access, not proven turnkey RCE with broad host takeover.

Why not lower?

I am not downgrading it because KEV trumps wishful thinking. A pre-auth Oracle WebLogic bug with public PoC and confirmed in-the-wild use is exactly the kind of issue that burns defenders who over-index on protocol friction.

05 · Compensating Control

What to do — in priority order.

  1. Block T3 and IIOP from untrusted networks — Put ACLs, security groups, or NGFW rules in front of every WebLogic listener and allow only known app peers. Because this is KEV-listed and actively exploited, deploy this immediately, within hours.
  2. Disable unused remoting protocols — If the application does not require T3, T3S, or IIOP, turn them off or remove public/internal channels that expose them. This is the cleanest blast-radius reduction and should also be done immediately, within hours.
  3. Constrain WebLogic network channels — Bind admin and remoting channels to management VLANs or loopback/proxy-only interfaces rather than broad server subnets. If patching cannot happen same-day, enforce this segmentation immediately, within hours.
  4. Audit service-account reach — Reduce database and backend privileges available to the WebLogic runtime so a successful exploit yields less data. Treat this as short-term containment and complete it within hours to 1 day for exposed systems.
  5. Hunt for abnormal T3/IIOP traffic and data access — Look for new peers touching WebLogic remoting ports, unusual JDBC activity, and suspicious reads by middleware service accounts. Start the hunt immediately, within hours, because KEV means you may already be behind.
What doesn't work
  • A WAF alone does not solve this if the exploitable path is T3/IIOP rather than ordinary HTTP request handling.
  • MFA is irrelevant to the initial exploit because the attacker does not need credentials.
  • EDR alone helps with follow-on behavior, but it does not reliably stop the initial protocol-level data exposure.
  • Hiding the admin console is not enough if the vulnerable listener remains reachable on the remoting channel.
06 · Verification

Crowdsourced verification payload.

Run this on the target WebLogic host as the same OS account that owns the Oracle home, or as root with read access to the Oracle installation. Invoke it like ./check_cve_2024_21182.sh /u01/app/oracle/middleware or point it directly at ORACLE_HOME; it needs local filesystem access and, if present, will use OPatch to verify whether a July 2024-or-later WLS bundle was applied.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_cve_2024_21182.sh
# Detect likely exposure to CVE-2024-21182 on Oracle WebLogic Server.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/error

set -u

TARGET="${1:-}"
if [[ -z "$TARGET" ]]; then
  echo "Usage: $0 <ORACLE_HOME|MIDDLEWARE_HOME>"
  exit 3
fi

if [[ ! -d "$TARGET" ]]; then
  echo "UNKNOWN - path does not exist: $TARGET"
  exit 2
fi

ORACLE_HOME=""
if [[ -x "$TARGET/OPatch/opatch" ]]; then
  ORACLE_HOME="$TARGET"
elif [[ -d "$TARGET/oracle_common" && -x "$TARGET/OPatch/opatch" ]]; then
  ORACLE_HOME="$TARGET"
else
  # Try to discover a child Oracle home with OPatch
  CANDIDATE=$(find "$TARGET" -maxdepth 3 -type f -path '*/OPatch/opatch' 2>/dev/null | head -n 1)
  if [[ -n "$CANDIDATE" ]]; then
    ORACLE_HOME=$(dirname "$(dirname "$CANDIDATE")")
  fi
fi

if [[ -z "$ORACLE_HOME" ]]; then
  echo "UNKNOWN - could not locate ORACLE_HOME with OPatch under: $TARGET"
  exit 2
fi

VERSION=""
REG1="$ORACLE_HOME/inventory/registry.xml"
REG2="$ORACLE_HOME/oui/registry.xml"
for REG in "$REG1" "$REG2"; do
  if [[ -f "$REG" ]]; then
    VERSION=$(grep -Eo 'version="(12\.2\.1\.4\.0|14\.1\.1\.0\.0)"' "$REG" | head -n 1 | cut -d'"' -f2)
    [[ -n "$VERSION" ]] && break
  fi
done

if [[ -z "$VERSION" ]]; then
  # Fallback: search common files
  VERSION=$(grep -R -Eo '12\.2\.1\.4\.0|14\.1\.1\.0\.0' "$ORACLE_HOME"/registry* "$ORACLE_HOME"/inventory* "$ORACLE_HOME"/oracle_common 2>/dev/null | head -n 1 || true)
fi

if [[ -z "$VERSION" ]]; then
  echo "UNKNOWN - could not determine WebLogic version under $ORACLE_HOME"
  exit 2
fi

if [[ "$VERSION" != "12.2.1.4.0" && "$VERSION" != "14.1.1.0.0" ]]; then
  echo "PATCHED - installed version $VERSION is not in the affected set for CVE-2024-21182"
  exit 0
fi

OPATCH="$ORACLE_HOME/OPatch/opatch"
if [[ ! -x "$OPATCH" ]]; then
  echo "UNKNOWN - affected base version $VERSION found, but OPatch is unavailable"
  exit 2
fi

INV=$($OPATCH lsinventory 2>/dev/null)
if [[ -z "$INV" ]]; then
  echo "UNKNOWN - affected base version $VERSION found, but could not read OPatch inventory"
  exit 2
fi

# Heuristics for July 2024-or-later WLS bundles.
# 12.2.1.4 public train includes SPB 12.2.1.4.240710 / PSU 12.2.1.4.240704.
# 14.1.1.0.0 requires July 2024 CPU-or-later cumulative WLS patch; we look for 2407xx+ bundle/PSU naming.
if [[ "$VERSION" == "12.2.1.4.0" ]]; then
  if echo "$INV" | grep -Eq '12\.2\.1\.4\.(240710|2407[1-9][0-9]|240[89][0-9]{2}|24(10|11|12)[0-9]{2}|25[0-9]{4}|26[0-9]{4})|WLS PATCH SET UPDATE 12\.2\.1\.4\.(240704|2407[1-9][0-9]|240[89][0-9]{2}|24(10|11|12)[0-9]{2}|25[0-9]{4}|26[0-9]{4})'; then
    echo "PATCHED - affected branch $VERSION detected, but OPatch inventory shows July 2024-or-later WLS patching"
    exit 0
  else
    echo "VULNERABLE - affected branch $VERSION detected and no July 2024-or-later WLS CPU/SPB evidence found in OPatch inventory"
    exit 1
  fi
fi

if [[ "$VERSION" == "14.1.1.0.0" ]]; then
  if echo "$INV" | grep -Eq '14\.1\.1\.0\.2407[0-9]{2}|14\.1\.1\.0\.240[89][0-9]{2}|14\.1\.1\.0\.24(10|11|12)[0-9]{2}|14\.1\.1\.0\.25[0-9]{4}|14\.1\.1\.0\.26[0-9]{4}|WLS STACK PATCH BUNDLE 14\.1\.1\.0\.2407[0-9]{2}|WLS PATCH SET UPDATE 14\.1\.1\.0\.2407[0-9]{2}|WLS STACK PATCH BUNDLE 14\.1\.1\.0\.24(08|09|10|11|12)[0-9]{2}|WLS STACK PATCH BUNDLE 14\.1\.1\.0\.25[0-9]{4}|WLS STACK PATCH BUNDLE 14\.1\.1\.0\.26[0-9]{4}'; then
    echo "PATCHED - affected branch $VERSION detected, but OPatch inventory shows July 2024-or-later WLS patching"
    exit 0
  else
    echo "VULNERABLE - affected branch $VERSION detected and no July 2024-or-later WLS CPU/SPB evidence found in OPatch inventory"
    exit 1
  fi
fi

echo "UNKNOWN - unable to classify installation"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, treat every exposed or east-west reachable WebLogic 12.2.1.4.0 and 14.1.1.0.0 instance as an incident-prevention priority: inventory them, confirm whether T3/IIOP is reachable, and patch / mitigate immediately, within hours because KEV overrides the normal noisgate mitigation SLA. The formal noisgate remediation SLA for this HIGH reassessment is ≤180 days, but that is not your operating target here—anything internet-facing or reachable from user/server segments should get emergency containment today and the actual Oracle July 2024 CPU-or-later patch in the same response window if change control allows.

Sources

  1. Oracle Critical Patch Update Advisory - July 2024
  2. NVD CVE-2024-21182
  3. CISA Known Exploited Vulnerabilities Catalog
  4. Oracle WebLogic Cloud default ports guidance
  5. Oracle WebLogic Server Stack Patch Bundle 12.2.1.4.240710 details
  6. CIRCL vulnerability lookup for CVE-2024-21182
  7. Public PoC repository
  8. BleepingComputer report citing current Shodan exposure counts
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.