Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2024-21182 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2024-21182 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2024-21182 is an unspecified remote data disclosure vulnerability in Oracle WebLogic Server, exploitable over the network via the T3 and IIOP protocols without authentication.

Technical Detail

The flaw exists within Oracle WebLogic Server's handling of T3 and IIOP protocol communications, both of which are commonly exposed on default WebLogic deployments. An unauthenticated attacker with network access to the affected port can trigger the vulnerability without any credentials or prior foothold on the system. Successful exploitation results in unauthorized read access to sensitive or critical data, up to and including complete access to all data accessible by the WebLogic Server process, representing a high-impact confidentiality breach.

Exploitation Status

CISA has confirmed active exploitation in the wild, with this vulnerability added to the Known Exploited Vulnerabilities catalog on June 1, 2026. The exploit maturity is rated Operational, meaning functional exploit code exists and is being actively used in real-world attacks, not merely demonstrated in controlled research environments. Organizations should treat this as an actively targeted vulnerability requiring immediate remediation.

Who Is Targeting This

Confirmed (ATTAX-verified): Agrius (Iran, nation-state motivation), Magic Hound (Iran, nation-state motivation), BackdoorDiplomacy (origin unknown, motivation unknown), GOLD SOUTHFIELD (origin unknown, motivation unknown), and Storm-0501 (origin unknown, motivation unknown) have all been attributed with high confidence. The involvement of two distinct Iranian nation-state groups alongside financially or operationally motivated actors suggests this vulnerability is being exploited across multiple threat actor categories simultaneously. Reported (research-inferred): No additional public attribution beyond the confirmed actors has been identified at this time.

What To Do

Apply Oracle's patch for CVE-2024-21182 immediately. Given CISA KEV listing as of June 1, 2026, federal agencies under BOD 22-01 are required to remediate without delay; all other organizations should treat this as a critical priority patch regardless of CVSS score. As an interim workaround, restrict network access to T3 and IIOP listener ports (typically 7001 and 7002) using firewall rules or network ACLs, limiting exposure to trusted internal hosts only. Disable IIOP if it is not required by your deployment. Review WebLogic access logs for anomalous T3 and IIOP connection attempts from unexpected source addresses, particularly targeting administrative ports. Given confirmed nation-state actor involvement, organizations in government, defense, finance, and critical infrastructure sectors should treat any unpatched WebLogic exposure as a high-priority incident risk.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →