CVE-2024-20953
HIGH KEVOracle Agile PLM 9.3.6 - Authenticated Remote Code Execution via Export Component Deserialization
Title source: llmExploitation Summary
CVE-2024-20953 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 24, 2025.
Description
Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Export). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
References (3)
Core 3
Core References
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20953
Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-24-096/
Vendor Advisory vendor-advisory
https://www.oracle.com/security-alerts/cpujan2024.html
Scores
CVSS v3
8.8
EPSS
0.6791
EPSS Percentile
98.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
total
Details
CISA KEV
2025-02-24
VulnCheck KEV
2025-02-24
ENISA EUVD
EUVD-2024-18667
CWE
CWE-502
Status
published
Products (1)
oracle/agile_product_lifecycle_management
9.3.6
Published
Feb 17, 2024
KEV Added
Feb 24, 2025
Tracked Since
Feb 18, 2026