CVE-2024-21182

HIGH KEV LAB

Oracle WebLogic Server <14.1.1.0.0 - Unauthorized Access

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-21182 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 1, 2026. EIP tracks 6 public exploits from researchers including kursadalsan, dinosn, k4it0k1d.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2024-21182, targeting Oracle WebLogic Server via JNDI injection. The exploit leverages reflection to manipulate JNDI references and trigger an LDAP lookup, potentially leading to remote code execution.

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Exploits (6)

nomisec WORKING POC 2 stars
by kursadalsan · remote
https://github.com/kursadalsan/CVE-2024-21182

This repository contains a functional exploit PoC for CVE-2024-21182, targeting Oracle WebLogic Server via JNDI injection. The exploit leverages reflection to manipulate JNDI references and trigger an LDAP lookup, potentially leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Network access to WebLogic T3 port (default 7001) · LDAP server hosting malicious payload
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC 1 stars
by dinosn · javapoc
https://github.com/dinosn/CVE-2024-21182

This repository contains a functional exploit for CVE-2024-21182, demonstrating unauthenticated remote code execution (RCE) in Oracle WebLogic Server via T3/IIOP JNDI injection. The exploit leverages the `AggregatableOpaqueReference` gadget to bypass previous patches and trigger server-side JNDI resolution against an attacker-controlled LDAP server.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (12.2.1.3-2018)
No auth needed
Prerequisites: Docker · Docker Compose · Java 8 · Python 3
devstral-2 · analyzed Jun 02, 2026 Full analysis →
nomisec WORKING POC 1 stars
by k4it0k1d · remote
https://github.com/k4it0k1d/CVE-2024-21182

This repository contains a functional exploit PoC for CVE-2024-21182, targeting Oracle WebLogic Server via JNDI injection. The exploit leverages deserialization and JNDI manipulation to achieve remote code execution by binding a malicious object to a JNDI context.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server
No auth needed
Prerequisites: Access to a vulnerable WebLogic Server instance · LDAP server hosting malicious payload
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC
by fevar54 · poc
https://github.com/fevar54/CVE-2024-21182---Oracle-WebLogic-Server-JNDI-Injection-RCE

This repository contains a functional exploit for CVE-2024-21182, demonstrating a JNDI injection vulnerability in Oracle WebLogic Server that leads to remote code execution (RCE). The exploit chain involves a malicious LDAP server, a Java payload, and a T3 client to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle WebLogic Server (12.2.1.4.0, 14.1.1.0.0)
No auth needed
Prerequisites: JDK 8 or higher · WebLogic T3 client library (wlthint3client.jar) · Access to T3/IIOP ports (e.g., 7001)
devstral-2 · analyzed Jun 10, 2026 Full analysis →
github SUSPICIOUS
by jenniferreire26 · poc
https://github.com/jenniferreire26/CVE-2024-21182

The repository claims to provide an exploit for CVE-2024-21182 but lacks actual exploit code, instead directing users to an external download link. The README contains vague details and no technical depth.

Classification
Suspicious 95%
Attack Type
Xss
Complexity
Theoretical
Reliability
Theoretical
Target: Oracle WebLogic Server 12.2.1.4.0, 14.1.1.0.0
No auth needed
Prerequisites: reachable vulnerable target · predictable user/workflow context
devstral-2 · analyzed Jun 09, 2026 Full analysis →
github SUSPICIOUS
by johnniebozura31 · poc
https://github.com/johnniebozura31/CVE-2024-21182

The repository claims to provide an exploit for CVE-2024-21182 but only includes a README with generic details and a link to an external download. No actual exploit code is present, and the README lacks technical depth.

Classification
Suspicious 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: Oracle WebLogic Server 12.2.1.4.0, 14.1.1.0.0
No auth needed
Prerequisites: reachable vulnerable target · predictable user/workflow context
devstral-2 · analyzed Jun 05, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.4824
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull vulhub/weblogic:12.2.1.3-2018
+3 more repos

Details

CISA KEV 2026-06-01
VulnCheck KEV 2026-06-01
ENISA EUVD EUVD-2024-18896
Status published
Products (4)
oracle/weblogic_server 12.2.1.4.0
oracle/weblogic_server 14.1.1.0.0
Oracle Corporation/WebLogic Server 12.2.1.4.0
Oracle Corporation/WebLogic Server 14.1.1.0.0
Published Jul 16, 2024
KEV Added Jun 01, 2026
Tracked Since Feb 18, 2026