Threat Intelligence Brief - Tuesday, June 2, 2026

Executive Signal

• Oracle WebLogic CVE-2024-21182 is under active exploitation — unauthenticated RCE on internet-facing WebLogic servers. CISA has added it to the KEV catalog with a federal patch deadline. Enterprise exposure warrants equivalent urgency.
• Google’s June 2026 Android update patches CVE-2025-48595, a zero-day confirmed exploited in targeted attacks. Managed Android device fleets require immediate update enforcement.
• HP VoIP phones carry a critical stack-based buffer overflow enabling remote code execution. Exploitation is unconfirmed, but the attack surface is broad in enterprise environments and lateral movement risk is real.
• Legacy infrastructure (WebLogic), mobile endpoints (Android), and overlooked network devices (VoIP) are all in active or near-active play simultaneously. Patch debt across all three categories compounds exposure.

Immediate Action Required

Oracle WebLogic Server — CVE-2024-21182 (Active Exploitation) Identify all internet-facing and internally accessible WebLogic instances. Apply the patch from Oracle’s January 2024 CPU immediately. If patching cannot be completed within 24–48 hours, isolate affected servers at the network level. CISA’s KEV listing confirms in-the-wild exploitation.

Android — CVE-2025-48595 (Active Exploitation) Push the June 2026 Android security update to all managed devices via MDM. Prioritize devices with access to corporate email, VPN, or sensitive applications. Devices that cannot receive the update should be flagged for restricted network access pending remediation.

High-Impact Developments

Oracle WebLogic CVE-2024-21182 Actively Exploited — CISA Issues Directive

• What happened: CVE-2024-21182, a high-severity Oracle WebLogic Server vulnerability patched in January 2024, is now confirmed actively exploited. CISA has added it to the Known Exploited Vulnerabilities catalog and ordered federal agencies to patch. The flaw allows unauthenticated remote compromise of affected WebLogic servers.
• Why it matters: WebLogic is widely deployed in enterprise middleware and cloud environments. Unauthenticated exploitation requires no credentials — any exposed instance is at immediate risk of full server compromise and can serve as a pivot point into broader infrastructure.
• Who should care: Vulnerability management leads, SOC leaders, and security architects responsible for Java EE middleware, Oracle Fusion, or any WebLogic deployment. Cloud teams running WebLogic in IaaS environments should validate exposure.
• Recommended action: Audit WebLogic inventory immediately. Apply the January 2024 Oracle CPU patch. Confirm that WebLogic admin consoles and T3/IIOP ports are not exposed to untrusted networks. Review recent access logs on WebLogic hosts for anomalous activity.
• Confidence: High — confirmed exploitation, CISA KEV listed, dual-source reporting.
• Search metadata: CVE-2024-21182 · Oracle WebLogic Server · Oracle

Android Zero-Day CVE-2025-48595 Patched — Exploitation Confirmed in Targeted Attacks

• What happened: Google’s June 2026 Android security bulletin addresses 124 vulnerabilities, including CVE-2025-48595 — a zero-day Google confirms has been exploited in limited, targeted attacks. The full patch set is now available.
• Why it matters: Targeted Android zero-day exploitation typically indicates sophisticated actors — nation-state or advanced criminal groups — selectively compromising high-value individuals. Enterprise mobile fleets, particularly executive and privileged-user devices, are the most likely targets. The window between public disclosure and broader exploitation narrows quickly once a patch is released.
• Who should care: SOC leaders and IT security teams managing enterprise mobile device programs. Organizations in sectors historically targeted by mobile spyware campaigns should treat this with elevated urgency.
• Recommended action: Enforce the June 2026 Android patch via MDM immediately. Prioritize devices belonging to executives, legal, finance, and IT administrators. Devices unable to receive updates should be reviewed for continued network access.
• Confidence: High — Google confirmed exploitation, dual-source reporting.
• Search metadata: CVE-2025-48595 · Android · Google · Mobile

Critical RCE Vulnerability in HP VoIP Phones — Enterprise Network Entry Point

• What happened: A critical stack-based buffer overflow has been disclosed in HP VoIP phones. Successful exploitation enables remote code execution on the affected device. Exploitation in the wild has not been confirmed at time of reporting.
• Why it matters: VoIP phones are routinely excluded from vulnerability management programs. They sit on enterprise networks with minimal monitoring and typically fall outside standard endpoint patching workflows. A compromised VoIP device provides a persistent foothold for lateral movement. No CVE identifier was available at time of reporting.
• Who should care: Network security architects, vulnerability management leads, and IT operations teams responsible for physical and virtual telephony infrastructure.
• Recommended action: Identify affected HP VoIP phone models and check for vendor firmware updates. If no patch is available, assess whether affected devices can be segmented onto isolated VLANs with restricted outbound access. Add to active monitoring pending vendor remediation.
• Confidence: Medium — single source, no CVE assigned, exploitation status unconfirmed.
• Search metadata: HP VoIP Phones · HP · Network Breach · Enterprise

Monitor Only

• No additional items from today’s feed met the threshold for inclusion. All three clusters warranted elevated treatment.

Analyst Observation

Today’s brief is a patch-debt story wearing three different masks. CVE-2024-21182 was fixed two years ago — the organizations being compromised right now either chose not to apply it or didn’t know they had exposure. The Android zero-day is a reminder that mobile device management hygiene remains inconsistent in most enterprises, particularly for non-standard device populations. The HP VoIP finding is the one to watch: network-attached devices outside traditional patch management scope are a recurring blind spot, and attackers know it. If your vulnerability program lacks explicit coverage for OT-adjacent and IoT-class devices on enterprise networks, this is a reasonable prompt to close that gap before exploitation is confirmed.

Source Links

• CISA flags two-year-old Oracle flaw as actively exploited in attacks — https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-actively-exploited-oracle-weblogic-flaw/
• Oracle WebLogic Vulnerability Exploited in the Wild — https://www.securityweek.com/oracle-weblogic-vulnerability-exploited-in-the-wild/
• Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities — https://www.securityweek.com/android-update-patches-exploited-zero-day-123-other-vulnerabilities/
• Google fixes one actively exploited Android zero-day, 124 flaws — https://www.bleepingcomputer.com/news/security/google-fixes-one-actively-exploited-android-zero-day-124-flaws/
• Critical Vulnerability in HP VoIP Phones Enables Enterprise Network Breaches — https://www.securityweek.com/critical-vulnerability-in-hp-voip-phones-enables-enterprise-network-breaches/

Generated by DevSecOpsDadAttack cyber threat intelligence.