CVE-2024-20953 – This vulnerability in Oracle Agile PLM allows a... (How to Fix)

Q: What is the severity of CVE-2024-20953?

CVE-2024-20953 has a CVSS score of 8.8 (HIGH). This vulnerability in Oracle Agile PLM allows authenticated attackers with network access to execute arbitrary code through deserialization of untrusted data. It affects Oracle Agile PLM version 9.3.6 and can lead to complete system compromise.

📋 TL;DR

This vulnerability in Oracle Agile PLM allows authenticated attackers with network access to execute arbitrary code through deserialization of untrusted data. It affects Oracle Agile PLM version 9.3.6 and can lead to complete system compromise.

💻 Affected Systems

Products:

Oracle Agile PLM

Versions: 9.3.6

Operating Systems: All platforms running Oracle Agile PLM

Default Config Vulnerable: ⚠️ Yes

Notes: Requires low privileged account with HTTP access to Export component

📦 What is this software?

Agile Product Lifecycle Management by Oracle

View all CVEs affecting Agile Product Lifecycle Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete takeover of Oracle Agile PLM system, allowing attacker to steal sensitive data, modify records, disrupt operations, and potentially pivot to other systems.

🟠

Likely Case

Attacker gains full administrative control over PLM system, enabling data theft, manipulation of product lifecycle data, and installation of persistent backdoors.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to isolated PLM environment, preventing lateral movement to other systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CISA lists as known exploited, ZDI advisory exists, requires low privileged credentials

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Critical Patch Update from January 2024

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2024.html

Restart Required: Yes

Instructions:

1. Download Critical Patch Update from Oracle Support. 2. Apply patch to Oracle Agile PLM 9.3.6. 3. Restart PLM services. 4. Verify patch application.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict HTTP access to Oracle Agile PLM Export component to trusted IP addresses only

Privilege Reduction

all

Review and minimize low privileged accounts with access to Export functionality

🧯 If You Can't Patch

Isolate Oracle Agile PLM system in separate network segment with strict firewall rules
Implement application-level monitoring for suspicious deserialization attempts

🔍 How to Verify

Check if Vulnerable:

Check Oracle Agile PLM version and verify if January 2024 Critical Patch Update is applied

Check Version:

Check Oracle Agile PLM administration console or configuration files for version information

Verify Fix Applied:

Confirm patch version from Oracle Support and verify no deserialization vulnerabilities in Export component

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to Export endpoints
Deserialization errors in application logs
Unexpected process execution

Network Indicators:

HTTP POST requests to Export endpoints with serialized data
Outbound connections from PLM system to unknown destinations

SIEM Query:

source="oracle_plm" AND (uri="*export*" OR message="*deserialization*")

📊 Metadata

CVE ID: CVE-2024-20953

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: February 17, 2024

Last Updated: October 27, 2025

🔗 References

https://www.oracle.com/security-alerts/cpujan2024.html Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2024.html Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20953 US Government Resource
https://www.zerodayinitiative.com/advisories/ZDI-24-096/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-20953, you might also want to check these: