What vulnerability is being actively exploited in Oracle Agile PLM?

The vulnerability being actively exploited is tracked as CVE-2024-20953 with a CVSS score of 8.8. It's a flaw in Oracle Agile PLM's Export component.

How does CVE-2024-20953 work?

This vulnerability allows low-privileged attackers with network access via HTTP to compromise Oracle Agile PLM systems. It can result in complete takeover of the affected systems.

Which versions of Oracle Agile PLM are affected?

Oracle Agile PLM version 9.3.6 is affected by this vulnerability.

When was this vulnerability fixed?

The vulnerability was fixed in January 2024.

Were there other Oracle Agile PLM vulnerabilities recently exploited?

Yes, another Oracle Agile PLM vulnerability (CVE-2024-21287) with a CVSS score of 7.5 was actively exploited in late 2023.

What actions does CISA recommend?

CISA recommends that all organizations apply the necessary updates to address these vulnerabilities.

Attack

CISA reports active exploitation of Oracle AgilePLM flaws

Q: Has CISA provided details about the attack campaigns?

No, CISA has confirmed active exploitation but hasn't provided any details about the specific attack campaigns.

Q: Is there a deadline for federal agencies to address this vulnerability?

Yes, federal agencies are required to secure their networks against these threats by March 17, 2025.

published: Feb. 25, 2025

Take action: If you are a year late to patch your Oracle PLM, high time to catch up. Because hackers are about to make you catch up.

Learn More

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is reporting active exploitation of flaw in Oracle Agile Product Lifecycle Management (PLM) system.

The exploited flaw is tracked as CVE-2024-20953 (CVSS score 8.8), it's vulnerability in Oracle Agile PLM's Export component that allows low-privileged attackers with network access via HTTP to compromise the system. It affects Oracle Agile PLM version 9.3.6 and can result in complete takeover of Oracle Agile PLM systems. It was fixed in January 2024

CISA has confirmed active exploitation but hasn't provided any details about the attack campaigns. Another Oracle Agile PLM vulnerability (CVE-2024-21287, CVSS score: 7.5) was actively exploited in late 2023.

CISA recommends that all organizations apply the necessary updates. Federal agencies are required to secure their networks against these threats by March 17, 2025.

CISA reports active exploitation of Oracle AgilePLM flaws

Read More
ShinyHunters Exploits Salesforce Misconfigurations to Target 100 High-Profile …
Critical authentication bypass flaw in JobMonster WordPress theme …
Microsoft Issues Emergency Patch for Actively Exploited Office …
Broadcom confirms active exploitation of two vulnerabilities in …
Critical Langflow authentication vulnerability actively exploited