Search
On this page ▾
CVE-2024-21287 — Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability

CVE-2024-21287

Oracle Agile PLM — Unauthenticated File Disclosure via Incorrect Authorization in Process Extension SDK
⚠️ CVSS 3.1  7.5 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Oracle Agile PLM?

Oracle Agile Product Lifecycle Management (PLM) is an enterprise software platform used by manufacturers, pharmaceutical companies, electronics firms, and other product-centric organizations to manage the complete lifecycle of products — from design and engineering through compliance, manufacturing, and end-of-life. It stores sensitive product data including engineering documents, bills of materials, regulatory compliance filings, intellectual property, supplier records, and quality documentation. Oracle Agile PLM 9.3.6 is deployed on-premises by enterprises that cannot migrate to Oracle's cloud PLM offerings. Its web interface is often accessible to a broad population of users, including external suppliers and contract partners.

Overview

CVE-2024-21287 is an incorrect authorization vulnerability in the Process Extension component of Oracle Agile PLM's Software Development Kit (SDK) that allows an unauthenticated remote attacker to read files from the server. Oracle published an emergency out-of-band security alert on November 18, 2024 — outside its regular quarterly Critical Patch Update cycle — indicating the company was aware of active exploitation before the patch was released. CISA added it to the KEV catalog three days later. Successful exploitation can expose the full content of the Agile PLM file repository, including proprietary product designs, compliance documents, and business-sensitive information.

Affected Versions

Product Vulnerable Fixed
Oracle Agile PLM 9.3.6 Apply Oracle Security Alert patch

Technical Details

CWE-863 (Incorrect Authorization). The Process Extension component of Oracle Agile PLM's SDK exposes an API endpoint that performs access control checks incorrectly, allowing unauthenticated requests to retrieve files that should require authorization. The flaw bypasses the authentication layer — rather than a path traversal or authentication bypass, this is a logic error where the authorization decision itself produces the wrong result for certain request types, allowing unauthenticated file access.

The specific data exposed depends on what files are stored in the PLM repository but typically includes: engineering CAD files and drawings, product specifications, bills of materials, regulatory compliance submissions, contractual documents, and supplier/partner records. Exfiltration of product intellectual property represents a significant competitive intelligence and espionage risk for manufacturing and pharmaceutical organizations.

Discovery

Oracle became aware of active exploitation before publishing the November 18, 2024 emergency alert — the out-of-band timing (outside the standard January/April/July/October quarterly CPU cadence) indicates confirmed zero-day exploitation in the wild.

Exploitation Context

Oracle's out-of-band emergency patch timing confirms the vulnerability was being actively exploited before the fix was released. Agile PLM deployments are common in defense contractors, pharmaceutical companies, semiconductor manufacturers, and other high-value targets for industrial espionage. The unauthenticated, network-accessible nature of the vulnerability makes it exploitable by any attacker who can reach the PLM server's web interface — including external attackers if the server is internet-accessible, or any attacker who has obtained initial network access.

Remediation

  1. Apply the Oracle Security Alert patch for CVE-2024-21287 immediately. Oracle's emergency alert contains specific installation instructions.
  2. Review Agile PLM web interface access logs for unexpected file access requests prior to patching — look for unauthenticated access to Process Extension API endpoints.
  3. Restrict Agile PLM network access to authorized users and systems via firewall rules. The PLM server should not be directly internet-accessible.
  4. After patching, audit recently accessed files to determine whether sensitive product data was exfiltrated during the exposure window.
  5. Notify legal and compliance teams if regulated data (e.g., FDA submissions, export-controlled technical data) may have been accessed.
  6. Monitor Oracle's quarterly Critical Patch Update advisories and apply patches within the standard remediation window going forward.

Key Details

PropertyValue
CVE ID CVE-2024-21287
Vendor / Product Oracle — Agile Product Lifecycle Management (PLM)
NVD Published2024-11-18
NVD Last Modified2025-10-27
CVSS 3.1 Score7.5
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SeverityHIGH
CWE CWE-863 find similar ↗
CISA KEV Added2024-11-21
CISA KEV Deadline2024-12-12
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Required Action

CISA BOD 22-01 Deadline: 2024-12-12. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-11-18Oracle publishes out-of-band emergency security alert for CVE-2024-21287 outside regular quarterly CPU cycle
2024-11-21Added to CISA Known Exploited Vulnerabilities catalog
2024-12-12CISA BOD 22-01 remediation deadline

References

ResourceType
Oracle Security Alert — CVE-2024-21287 Vendor Advisory
NVD — CVE-2024-21287 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-19

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML