CVE-2024-21287: Critical Zero-Day Exploited in Oracle Agile PLM
Oracle has issued an urgent security alert regarding a critical vulnerability in its Agile Product Lifecycle Management (PLM) software, tracked as CVE-2024-21287. This flaw allows attackers to remotely access sensitive files without any authentication, potentially exposing confidential product designs, intellectual property, and other critical business information.
Oracle Agile PLM is a widely used suite of software solutions that helps businesses manage the entire lifecycle of a product. Its focus on agility, collaboration, and innovation makes it a popular choice across various industries, including manufacturing, high-tech, and life sciences. This widespread use, ease of exploitation, and the potential for severe impact make this vulnerability a significant threat.
This newly disclosed vulnerability affects Oracle Agile PLM Framework, version 9.3.6. According to Oracle, CVE-2024-21287 is remotely exploitable without authentication, meaning attackers can exploit it over a network without requiring a username or password. If successfully exploited, the flaw could result in file disclosure, allowing unauthorized perpetrators to download files accessible under the privileges of the PLM application.
“This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password,” Oracle warns in its security advisory. “If successfully exploited, this vulnerability may result in file disclosure.”
The vulnerability, discovered by security researchers Joel Snape and Lutz Wolf of CrowdStrike, has been assigned a CVSS Base Score of 7.5, indicating a high severity level. Worryingly, CrowdStrike reported that this vulnerability is already being actively exploited “in the wild,” making immediate patching crucial for all affected users.
“If successfully exploited, an unauthenticated perpetrator could download, from the targeted system, files accessible under the privileges used by the PLM application,” the advisory states, highlighting the potential for significant data breaches.
Oracle strongly urges all customers using the affected versions to apply the security updates provided in the alert as soon as possible. Delaying patching could leave organizations vulnerable to attacks that could compromise sensitive product data and disrupt business operations.
Organizations relying on Oracle Agile PLM should prioritize patching this vulnerability to protect their valuable data and maintain the integrity of their product development processes.
