CISA is warning organizations that an Oracle WebLogic vulnerability patched nearly two years ago is being exploited in the wild.
The security hole, tracked as CVE-2024-21182, was patched by Oracle in the Java application server with its July 2024 CPU. The software giant’s advisory shows that the flaw was discovered and reported independently by several researchers.
Several proof-of-concept (PoC) exploits targeting CVE-2024-21182 have been made publicly available since the vulnerability’s existence came to light, but CISA appears to be the first to warn about its in-the-wild exploitation.
CISA added CVE-2024-21182 to its Known Exploited Vulnerabilities (KEV) catalog on June 1, instructing federal agencies to address it by June 4.
The flaw can be leveraged by remote, unauthenticated hackers to compromise vulnerable Oracle WebLogic Server instances.
