CVE-2024-20953

HIGH KEV

Oracle Agile Product Lifecycle Management - Insecure Deserialization

Title source: rule

Description

Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Export). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

References (3)

[Vendor Advisory] https://www.oracle.com/security-alerts/cpujan2024.html

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20953

[Third Party Advisory] https://www.zerodayinitiative.com/advisories/ZDI-24-096/

Scores

CVSS v3 8.8

EPSS 0.6904

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

CISA KEV 2025-02-24

VulnCheck KEV 2025-02-24

ENISA EUVD EUVD-2024-18667

Classification

CWE

CWE-502

Status published

Affected Products (1)

oracle/agile_product_lifecycle_management

Timeline

Published Feb 17, 2024

KEV Added Feb 24, 2025

Tracked Since Feb 18, 2026