US federal government departments have been given until Thursday to patch a two-year old high severity vulnerability in Oracle WebLogic Server that could allow an unauthenticated attacker to access critical data.

The vulnerability, CVE-2024-21182, was added Monday to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, giving federal Oracle admins a mere four days to plug the hole.

Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0.

While the KEV is aimed at US federal departments, inclusion of a vulnerability on the list should be taken as a warning to the private sector as well.

At the time it was discovered, this vulnerability was rated 7.3 on the CVSS scale, nowhere near the 9+ rating that many infosec pros would see as signaling a need for immediate attention.

However, Robert Enderle, a consultant who heads the Enderle Group, said the inclusion of this vulnerability in the KEV now means that CISA has recently confirmed that threat actors are actively weaponizing it.

“To make the CISA KEV means that we’re seeing active exploitations,” agreed Tyler Reguly, Fortra’s associate director of security R&D. “Given that this CVE was patched by Oracle in the July 2024 Critical Patch Update (CPU), I would expect most admins to have patched this by now, particularly since it is a WebLogic vulnerability and, prior to the addition of this CVE, there were already a dozen WebLogic vulnerabilities listed in the KEV catalog.”

Older vulns under exploit

Reguly also had an observation about how fast vulnerabilities are added to the KEV. Based on a cursory review, he figured only about 41% of CVEs in the list were added during the same year they were released. Looking at release year + 1, that goes up to about 58%. That still means that, surprisingly, more than 40% of the CVEs added to the CISA KEV catalog are added two or more years after they are released. “I suppose it makes sense that it [the two-year-old Oracle hole] is just popping up now, if you consider that an organization that hasn’t patched their systems in multiple years is likely an easier target than an organization that patches regularly. After all, regular patching probably implies a more security-conscious environment.”

Asked for comment on why this vulnerability is being added two years after its discovery, a CISA spokesperson referred to the department’s webpage explaining criteria for including bugs in the catalog, which says the list is of vulnerabilities that have been exploited in the wild. The spokesperson didn’t answer a question about how many federal servers were still unpatched after so long.

Oracle WebLogic Server is a unified and extensible platform for developing, deploying, and running enterprise applications in Java, on-premises and in the cloud. It’s fully supported on Kubernetes, and enables users to migrate and efficiently build modern container apps with comprehensive Java services. It short, it’s a vital piece of middleware that can host sensitive corporate data.

Not surprisingly, threat actors are eager to exploit any vulnerabilities of this type. In 2019 it was reported that threat actors were scanning for WebLogic servers vulnerable to a new method of bypassing protections that Oracle had fixed the year before.

Earlier this year, security firm CloudSek set up a honeypot to study threat actor response to a newly discovered and extremely serious WebLogic Server remote code execution vulnerability, CVE-2026-21962, with a CVSS score of 10, as well examining their interest in older holes. Over a 12 day period, attack attempts targeting the new zero day-like flaw were observed immediately following the public release of its exploit code, “demonstrating the rapid weaponization of critical Oracle WebLogic vulnerabilities.”

Attackers also tried to exploit a flaw reported in 2017 and two 2020 vulnerabilities in the unpatched honeypot server that CloudSek created.

Slow patching a ‘clear risk’

Given the importance of Oracle products to large enterprises, the company recently switched to a monthly security patch release cycle from quarterly. The first of these patches was released Monday.

The recent addition of the WebLogic vulnerability to the KEV illustrates a common problem in how many organizations handle security, said Gene Moody, field CTO at Action1. “The issue is not just the vulnerability itself. The bigger problem is the delay between when a fix is released and when it is actually applied to real systems. That delay gives attackers a chance to act, while also signaling that the security practices of the target org may be under-enforced.”

It takes on average around 60 days for organizations to apply patches, he pointed out. Meanwhile, attackers are building and using exploits in just hours or days. This gap creates a convenient window where unpatched systems become simple targets, he pointed out. In addition, systems suffering from vulnerabilities greater than a year in age are likely not silos in an otherwise well-managed vulnerability management plan.

“Attackers pay close attention to how quickly patches are applied,” he said. “When a well-known fix is not widely used, it demonstrates more than just exposure. It can point to poor system tracking, weak patch processes, or other priorities taking focus away from security. These issues often mean there are more weaknesses beyond the one vulnerability.”

Organizations should treat slow patching as a clear risk, Moody warned, not just a yet another task waiting to be done. To improve the situation, there needs to be better tracking of systems, clear patch timelines, and making sure that fixes are actually applied, not just planned.