WebLogic CVE-2024-21182 joins KEV two years after the July 2024 CPU

TL;DR

• CISA's June 1 alert adds CVE-2024-21182 to the Known Exploited Vulnerabilities catalog. The KEV JSON feed lists dateAdded 2026-06-01 and dueDate 2026-06-04 for federal civilian agencies under BOD 22-01.
• Oracle fixed this in the July 2024 Critical Patch Update for WebLogic Server 12.2.1.4.0 and 14.1.1.0.0. NVD still describes it as unauthenticated network access via T3 and IIOP, with Oracle's published CVSS 3.1 score of 7.5 (confidentiality impact only on that row).
• If you run customer-managed WebLogic on those trains, treat today as an inventory-and-proof exercise: confirm the July 2024 (or later) CPU bits are on every Admin Server and managed server, then look for unexpected T3/IIOP listeners facing the internet.

The July 2024 patch is old news; KEV is the new receipt

Nothing about CVE-2024-21182 is a same-day disclosure. Oracle received the CVE on 2024-07-16, and the verbose July 2024 risk matrix already spelled out the shape: WebLogic Core, reachable over T3, IIOP, no authentication, low complexity, no user interaction. Oracle scored it 7.5 with confidentiality as the scored impact on that line, while a sibling WebLogic entry in the same table carries 9.8 with full takeover language, so do not assume every July WebLogic CVE row describes identical blast radius.

What changed today is operator evidence, not vendor text. CISA's catalog entry says attackers are exploiting the flaw in the wild. NVD's change history shows the KEV metadata landing 2026-06-01. That is the artifact worth acting on if your patch queue still treats "published in 2024" as background noise.

Why T3 and IIOP still matter in 2026

WebLogic's admin and application traffic has carried years of breach stories over T3 (Oracle's Java RMI wire protocol) and IIOP (CORBA bridging). This CVE is not a novel protocol class; it is another reminder that middleware left listening on 0.0.0.0 becomes long-lived attack surface. The KEV short description matches Oracle's language: unauthenticated network access, compromise of the server, unauthorized read of data the instance can reach.

That is a narrower headline than "domain admin tomorrow," but it is still a perimeter problem when a management port is exposed. Teams that only patch quarterly CPUs may have mentally filed July 2024 away while Internet-facing consoles kept the vulnerable protocols open.

What to verify before the June 4 KEV due date

Work from Oracle's July 2024 advisory and your own change records, not a blog paraphrase:

1. Version proof. Confirm every WebLogic instance is off 12.2.1.4.0 / 14.1.1.0.0 vulnerable builds or has the July 2024 CPU patch bundle applied per Oracle's Fusion Middleware patch document for your exact install type (traditional, container image, vendor appliance).
2. Exposure proof. Map which hosts accept T3 and IIOP from networks you do not fully trust. KEV pressure is highest where those listeners are reachable without an application-layer login.
3. Compensating controls. If you cannot patch before the due date, Oracle's standard CPU guidance still applies: blocking the protocols at a firewall is a break-glass move that can break legitimate admin tooling, so document what you disabled and for how long.

Oracle also started monthly Critical Security Patch Updates (CSPUs) in late May 2026 for urgent fixes between quarterly CPUs. That cadence does not replace July 2024 for this CVE, but it is worth aligning change windows so the next urgent WebLogic fix does not wait three months.

Sources

• CISA alert: Adds one KEV entry (2026-06-01)
• CISA Known Exploited Vulnerabilities JSON feed (CVE-2024-21182: dateAdded 2026-06-01, dueDate 2026-06-04)
• NVD: CVE-2024-21182
• Oracle Critical Patch Update Advisory — July 2024
• Oracle July 2024 risk matrix (verbose text) (CVE-2024-21182 row)