Oracle this week announced patches for a high-severity information disclosure vulnerability in Agile Product Lifecycle Management (PLM) that has been exploited in the wild.
Tracked as CVE-2024-21287 (CVSS score of 7.5), the zero-day affects Agile PLM version 9.3.6 and can be exploited remotely without authentication.
In its advisory, Oracle has credited Joel Snape and Lutz Wolf of CrowdStrike for reporting the flaw, while Eric Maurice, Oracle VP of security assurance, revealed that the security defect was caught being actively exploited in the wild.
“If successfully exploited, an unauthenticated perpetrator could download, from the targeted system, files accessible under the privileges used by the PLM application,” Maurice said.
According to the company, remote, unauthenticated attackers with network access over the HTTP protocol could easily exploit CVE-2024-21287 to access critical data or gain complete access to all Agile PLM Framework accessible data.
“Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” the tech giant notes in its advisory.
Neither Oracle nor CrowdStrike have shared technical information on the vulnerability and on the observed in-the-wild exploitation.
SecurityWeek has emailed both companies for additional information on CVE-2024-21287’s in-the-wild exploitation and will update this article as soon as they reply.
Introduced roughly two decades ago, Agile PLM provides organizations with product data and process management and collaboration capabilities across teams. In April 2024, Oracle said it would discontinue the product, ending premier support for it on December 31, 2027.
Related: Fortinet VPN Zero-Day Exploited in Malware Attacks Remains Unpatched: Report
Related: Oracle Patches Over 200 Vulnerabilities With October 2024 CPU
Related: Open Source Package Entry Points May Lead to Supply Chain Attacks
Related: New DLL Search Order Hijacking Technique Targets WinSxS Folder