CISA Warns of Attacks Exploiting Oracle Agile PLM Vulnerability

The cybersecurity agency CISA on Monday added an Oracle Agile Product Lifecycle Management (PLM) software flaw to its Known Exploited Vulnerabilities (KEV) catalog.

The vulnerability, tracked as CVE-2024-20953, was patched in the PLM product in January 2024. The security hole, described as a high-severity deserialization issue, can allow a low-privileged attacker to execute arbitrary code and take over the software.

The issue was reported to Oracle through Trend Micro’s Zero Day Initiative (ZDI), which disclosed very limited technical details in an advisory published in February 2024.

“The specific flaw exists within the ExportServlet. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user,” ZDI’s advisory reads.

No information appears to be publicly available on the attacks describing exploitation of this Oracle Agile ...