Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Patches Exploited Agile PLM Zero-Day

Oracle has patched a high-severity information disclosure zero-day in Agile PLM that has been exploited in the wild.

Oracle zero-day

Oracle this week announced patches for a high-severity information disclosure vulnerability in Agile Product Lifecycle Management (PLM) that has been exploited in the wild.

Tracked as CVE-2024-21287 (CVSS score of 7.5), the zero-day affects Agile PLM version 9.3.6 and can be exploited remotely without authentication.

In its advisory, Oracle has credited Joel Snape and Lutz Wolf of CrowdStrike for reporting the flaw, while Eric Maurice, Oracle VP of security assurance, revealed that the security defect was caught being actively exploited in the wild.

“If successfully exploited, an unauthenticated perpetrator could download, from the targeted system, files accessible under the privileges used by the PLM application,” Maurice said.

According to the company, remote, unauthenticated attackers with network access over the HTTP protocol could easily exploit CVE-2024-21287 to access critical data or gain complete access to all Agile PLM Framework accessible data.

“Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” the tech giant notes in its advisory.

Neither Oracle nor CrowdStrike have shared technical information on the vulnerability and on the observed in-the-wild exploitation.

SecurityWeek has emailed both companies for additional information on CVE-2024-21287’s in-the-wild exploitation and will update this article as soon as they reply.

Advertisement. Scroll to continue reading.

Introduced roughly two decades ago, Agile PLM provides organizations with product data and process management and collaboration capabilities across teams. In April 2024, Oracle said it would discontinue the product, ending premier support for it on December 31, 2027.

Related: Fortinet VPN Zero-Day Exploited in Malware Attacks Remains Unpatched: Report

Related: Oracle Patches Over 200 Vulnerabilities With October 2024 CPU

Related: Open Source Package Entry Points May Lead to Supply Chain Attacks

Related: New DLL Search Order Hijacking Technique Targets WinSxS Folder

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.