The cybersecurity agency CISA on Monday added an Oracle Agile Product Lifecycle Management (PLM) software flaw to its Known Exploited Vulnerabilities (KEV) catalog.
The vulnerability, tracked as CVE-2024-20953, was patched in the PLM product in January 2024. The security hole, described as a high-severity deserialization issue, can allow a low-privileged attacker to execute arbitrary code and take over the software.
The issue was reported to Oracle through Trend Micro’s Zero Day Initiative (ZDI), which disclosed very limited technical details in an advisory published in February 2024.
“The specific flaw exists within the ExportServlet. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user,” ZDI’s advisory reads.
No information appears to be publicly available on the attacks describing exploitation of this Oracle Agile PLM vulnerability.
However, since exploitation of the vulnerability requires authentication, it’s likely exploited by attackers after they have gained initial access to a system via the exploitation of a different flaw. This indicates that CVE-2024-20953 has likely been exploited in targeted attacks.
This is the second Agile PLM vulnerability flagged as exploited in the wild in recent months. In November 2024, Oracle announced patches for CVE-2024-21287 and warned that it had been exploited in attacks.
CVE-2024-21287, however, has been rated ‘critical severity’ as it can be exploited remotely without authentication to access critical data. No information seems to be publicly available on the exploitation of CVE-2024-21287 either.
Exploitation of this vulnerability was spotted last year by CrowdStrike. It’s unclear if the two Agile PLM vulnerabilities have been exploited in the same attacks.
SecurityWeek has reached out to the security firm for additional information and will update this article if it responds.
CISA has instructed federal agencies to address CVE-2024-20953 in their environments by March 17.
It’s not uncommon for threat actors to exploit Oracle product vulnerabilities in their attacks, but in most cases they have targeted WebLogic flaws.
CISA on Monday also added an Adobe ColdFusion vulnerability tracked as CVE-2017-3066 to its KEV list, but exploitation of this flaw has been known since 2018.
Related: CISA Warns of Attacks Exploiting Craft CMS Vulnerability
Related: Second Recently Patched Flaw Exploited to Hack Palo Alto Firewalls
Related: CISA Issues Exploitation Warning for .NET Vulnerability
