CVE-2024-20953

What is Oracle Agile PLM?

Oracle Agile Product Lifecycle Management (PLM) is an enterprise platform used by manufacturing, high-tech, and life sciences companies to manage product development from design through end-of-life. Agile PLM centralizes product specifications, bills of materials, engineering change orders, and compliance documentation. It is deployed on-premises at large manufacturers and often contains sensitive intellectual property including product designs, formulas, and supply chain data. Because Agile PLM serves as the authoritative source of product IP for organizations, its compromise is particularly damaging in espionage contexts.

Overview

CVE-2024-20953 is a deserialization vulnerability in Oracle Agile PLM that allows a low-privilege, network-authenticated attacker to fully compromise the system via HTTP. The vulnerability requires only a valid Agile PLM user account — a low bar in enterprise environments where many employees have read-only access to product data. Oracle patched the vulnerability in the January 2024 Critical Patch Update; CISA added it to the KEV catalog in February 2025, thirteen months after the patch, confirming active exploitation against unpatched installations.

Affected Versions

Technical Details

CWE-502 (Deserialization of Untrusted Data). Oracle Agile PLM processes serialized Java objects as part of its HTTP-based API or web service communication. A flaw in the deserialization handling allows an authenticated attacker with low-privilege access to submit a crafted serialized payload that, when deserialized by the Agile PLM server, triggers execution of arbitrary Java code. Java deserialization vulnerabilities are particularly powerful because the Java class loading mechanism and reflection APIs allow deserialization payloads to chain together "gadgets" from the application's classpath to achieve arbitrary code execution — as documented extensively by the ysoserial framework.

Once code executes in the context of the Agile PLM application server, an attacker can: exfiltrate all product lifecycle data, intellectual property, and BOM information; modify product records; pivot to connected systems (ERP, CAD, database); or establish persistent backdoor access.

Discovery

Patched as part of the January 2024 Oracle CPU. The 13-month gap between patch and CISA KEV addition indicates exploitation was occurring against organizations that had not applied the CPU — a common situation with Oracle CPU patches, which require careful coordination with Oracle support and often are delayed by enterprises due to upgrade complexity.

Exploitation Context

Oracle Agile PLM is targeted by industrial espionage actors (particularly nation-state actors targeting manufacturing IP) because it contains detailed product specifications, trade secrets, and supply chain data. A low-privilege authentication requirement means any disgruntled employee or a phished PLM user account can trigger the exploit — there is no need for an administrator account. The long delay before CISA KEV addition is consistent with targeted, low-noise exploitation by sophisticated actors rather than mass exploitation.

Remediation

1. Apply the Oracle January 2024 Critical Patch Update to Agile PLM 9.3.6 immediately — consult Oracle support for the specific patch and upgrade path.
2. Restrict Agile PLM's network exposure: the application should not be accessible from the internet without a VPN or zero-trust access proxy.
3. Audit Agile PLM access logs for unusual API calls or serialization errors that may indicate exploitation attempts.
4. Review and minimize the number of active Agile PLM user accounts — deactivate accounts for users who no longer require access.
5. Monitor outbound network connections from the Agile PLM server for unexpected destinations — a compromised server will typically attempt to beacon to attacker infrastructure.