Cyber Resilience

CVE-2024-20953

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 17 February 2024

Published
17 February 2024
Modified
27 October 2025
KEV Added
24 February 2025
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6791 98.6th percentile
Risk Priority 78 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-20953 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Oracle Agile Product Lifecycle Management. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-20953 is a vulnerability in the Export component of Oracle Agile PLM version 9.3.6 within Oracle Supply Chain. It carries a CVSS 3.1 base score of 8.8 with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and is associated with CWE-502. The flaw permits remote compromise of the affected product.

A low-privileged attacker with network access over HTTP can exploit the issue without user interaction to achieve full takeover of Oracle Agile PLM, impacting confidentiality, integrity, and availability.

Oracle's January 2024 Critical Patch Update addresses the vulnerability, and the issue appears in CISA's Known Exploited Vulnerabilities catalog. The associated EPSS score reached a peak of 0.7032 with a current value of 0.6791.

EU & UK References

Vulnerability details

Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Export). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks…

more

of this vulnerability can result in takeover of Oracle Agile PLM. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CWE(s)
KEV Date Added
24 February 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
agile product lifecycle management
9.3.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks deserialization of untrusted data over HTTP before the Export component processes attacker-supplied input.

prevent

Requires prompt application of the January 2024 CPU patch that eliminates the deserialization flaw in Agile PLM 9.3.6.

detect

Enables integrity verification of the PLM application binaries and libraries to detect unauthorized modification or exploitation artifacts.

References