WebLogic Server leaks data exploited in wild (CVE-2024-21182) [PoC]

Actively exploited in the wild - CVE-2024-21182 is a high-severity vulnerability in Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 that lets unauthenticated attackers steal critical data from the server. Exploitation is confirmed; apply Oracle’s April 2024 Critical Patch Update immediately.

Overview

CVE-2024-21182 affects the Core component of Oracle WebLogic Server, part of Oracle Fusion Middleware. This vulnerability allows an unauthenticated attacker with network access via the T3 or IIOP protocols to compromise the server. Successful exploitation results in unauthorized access to critical data or complete access to all data accessible by WebLogic Server.

The vulnerability carries a CVSS 3.1 base score of 7.5 (HIGH) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This means the attack requires no authentication, no user interaction, and can be executed over the network with low complexity. The impact is exclusively on confidentiality - the attacker gains read access to sensitive data but cannot modify or destroy it.

Exploitation and Urgency

CISA has confirmed this vulnerability is actively exploited in the wild, placing it on the Known Exploited Vulnerabilities (KEV) catalog. The EPSS score is 87.7%, indicating a very high probability of exploitation within the next 30 days. Organizations should treat this as an urgent patching priority.

Affected Versions

• Oracle WebLogic Server 12.2.1.4.0
• Oracle WebLogic Server 14.1.1.0.0

Remediation

Apply the Oracle Critical Patch Update (CPU) for April 2024. Oracle has released patches for both affected versions. No workarounds are available - patching is the only complete mitigation.

Immediate Actions

1. Identify all instances of Oracle WebLogic Server in your environment running the affected versions.
2. Apply the April 2024 CPU patches to all affected instances.
3. If immediate patching is not possible, restrict network access to the T3 and IIOP ports (typically 7001 and 7002) to only trusted IP addresses.
4. Monitor for signs of data exfiltration from WebLogic Server systems.

Security Insight

This vulnerability exemplifies a persistent pattern: Oracle Fusion Middleware products remain a high-value target for threat actors due to their widespread deployment in enterprise environments and the critical data they handle. The fact that an unauthenticated, low-complexity attack can yield complete data access speaks to the challenge of securing legacy enterprise Java stacks. The active exploitation and high EPSS score confirm that attackers are weaponizing these flaws rapidly after patch release, compressing the remediation window for defenders.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs