Oracle Agile PLM Vulnerability: Low-Privilege Attack Can Lead to Takeover
CVE-2024-20953

8.8HIGH

Key Information:

Vendor
Oracle
Status
Agile Plm Framework
Vendor
CVE Published:
17 February 2024

Badges

📈 Score: 325👾 Exploit Exists🟣 EPSS 74%🦅 CISA Reported📰 News Worthy

What is CVE-2024-20953?

CVE-2024-20953 is a vulnerability found in Oracle Agile PLM, part of Oracle's Supply Chain suite. This vulnerability primarily affects version 9.3.6 of the product, enabling low-privilege attackers with network access via HTTP to potentially compromise the system. The nature of the vulnerability allows for unauthorized takeover of Oracle Agile PLM, which could severely disrupt operations for organizations relying on this software for product lifecycle management.

Technical Details

CVE-2024-20953 has been classified with a CVSS 3.1 base score of 8.8, indicating its severity. The vulnerability allows attackers to gain access without requiring high privileges, creating an easier path for exploitation. The exploitation involves sending crafted HTTP requests to the affected system, leading to significant risks concerning confidentiality, integrity, and availability of the data and services managed by Oracle Agile PLM.

Potential impact of CVE-2024-20953

  1. Unauthorized System Takeover: Exploiting this vulnerability could allow attackers to gain complete control over the Oracle Agile PLM system, leading to unauthorized access and potential manipulation of sensitive data.

  2. Compromise of Data Integrity: Attackers may alter critical information stored within the Oracle Agile PLM system, potentially leading to erroneous product lifecycle data, which could disrupt business processes and decision-making.

  3. Service Disruption: Given the nature of the vulnerability, successful exploitation could lead to significant downtime and operational disruption, affecting organizations that depend on Oracle Agile PLM for their supply chain management and product lifecycle processes.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Agile PLM Framework 9.3.6

News Articles

favicon imageThe Cyber Express

CISA Adds CVE-2017-3066 And CVE-2024-20953 To KEV Catalog

CISA highlights active exploits for CVE-2017-3066 in Adobe ColdFusion and CVE-2024-20953 in Oracle PLM.

favicon imageCybersecurityNews

CISA Warns of Oracle Agile Vulnerability Exploited in the Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory regarding CVE-2024-20953, a high-severity deserialization vulnerability in Oracle’s Agile Product Lifecycle Management (PLM) software that is being actively exploited in the wild.

favicon imageSecurityWeek

CISA Warns of Attacks Exploiting Oracle Agile PLM Vulnerability

CISA has added CVE-2024-20953, an Oracle Agile PLM vulnerability patched in January 2024, to its KEV catalog. 

References

https://www.oracle.com/security-alerts/cpujan2024.html
vendor-advisory

EPSS Score

74% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by SecurityWeek

  • 👾

    Exploit known to exist

  • 🦅

    CISA Reported

  • Vulnerability published

  • Vulnerability Reserved

.