CVE-2024-21182 Elastic Security · Elastic

Detect Oracle WebLogic Server CVE-2024-21182 Exploitation Attempt in Elastic Security

Detects exploitation attempts targeting CVE-2024-21182, an unspecified vulnerability in Oracle WebLogic Server. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Oracle WebLogic Server is a high-value target for threat actors due to its prevalence in enterprise Java EE environments. Exploitation may enable remote code execution, unauthorized data access, or server compromise.

MITRE ATT&CK

Tactic
Initial Access Execution Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=5m
  [network where destination.port in (7001, 7002, 4848, 9002)
   and http.request.method in ("POST", "GET", "PUT")
   and (
     http.request.body.content : "*wls-wsat*" or
     http.request.body.content : "*_async*" or
     http.request.body.content : "*uddiexplorer*" or
     url.path : "/wls-wsat/*" or
     url.path : "/_async/*" or
     url.path : "/uddiexplorer/*" or
     url.path : "/bea_wls_internal/*"
   )
  ]
  [network where destination.port in (7001, 7002, 4848, 9002)
   and http.response.status_code in (200, 500, 400)
  ]
critical severity medium confidence

Elastic EQL sequence detection for CVE-2024-21182 exploitation. Correlates HTTP requests to known WebLogic vulnerable endpoints followed by server responses, flagging successful exploitation attempts.

Data Sources

Elastic APMFilebeat HTTP modulePacketbeatNetwork flow logs

Required Tables

logs-*filebeat-*packetbeat-*

False Positives & Tuning

  • Legitimate Java EE application deployments using WebLogic WSAT endpoints
  • Authorized WebLogic management tools accessing internal endpoints
  • Internal SOAP service integrations using WebLogic WS-AT coordination
  • Application performance monitoring probes on WebLogic ports

Other platforms for CVE-2024-21182

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WebLogic WSAT Endpoint Probe

    Expected signal: HTTP GET request logged in WebLogic access.log to /wls-wsat/CoordinatorPortType from attacker IP on port 7001. Network flow data showing connection to WebLogic port.

  2. Test 2WebLogic Async Servlet POST Probe

    Expected signal: HTTP POST to /_async/AsyncResponseService visible in WebLogic access logs and network proxy logs. Process audit logs may show WebLogic JVM processing the request.

  3. Test 3WebLogic UDDI Explorer SSRF Probe

    Expected signal: HTTP GET request to /uddiexplorer/ path logged in WebLogic access log. If SSRF is active, outbound connection attempt from WebLogic server to 127.0.0.1:22 visible in network monitoring.

  4. Test 4WebLogic Admin Console Access Attempt

    Expected signal: HTTP GET to /console/login/LoginForm.jsp in WebLogic access logs. Windows Security event logs may show network logon attempts if authentication is attempted. Network flow logs capture the connection.

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2024-21182 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1210Exploitation of Remote ServicesT1027Obfuscated Files or Information

Same Tactic: Initial Access

Popular Detections