The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding active exploitation of a severe deserialization vulnerability (CVE-2024-20953) in Oracle Agile Product Lifecycle Management (PLM) software.
Added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on February 24, 2025, the flaw allows attackers with low-privileged access to execute arbitrary code on unpatched systems, potentially leading to full network compromise.
Federal agencies and private sector organizations have until March 17, 2025, to implement mitigations or discontinue the use of affected systems.
.png
)
Oracle Agile Vulnerability
At the heart of this emergency is CWE-502, a critical deserialization vulnerability that enables attackers to manipulate serialized objects in the Java-based Oracle Agile PLM platform.
Security analysts at Horizon3.ai explain that successful exploitation bypasses standard authentication checks, granting attackers “the ability to execute commands under the identity of the Oracle WebLogic server”.
This access level could enable data theft, lateral movement across corporate networks, and disruption of manufacturing supply chains dependent on PLM systems.
While CISA’s advisory doesn’t confirm ransomware group involvement, the timing coincides with increased cybercriminal focus on operational technology.
Industrial security firm Claroty reports a 78% year-over-year increase in attacks targeting product lifecycle management systems, suggesting threat actors may be leveraging CVE-2024-20953 for intellectual property theft or production sabotage.
Technical Breakdown and Enterprise Impact
Oracle’s out-of-cycle patch, released in January 2025, modifies how the Agile PLM platform processes serialized data through its FileNet connector.
However, many organizations have delayed updates due to the platform’s integration with critical ERP and CAD systems.
Cybersecurity consultant Aaron Sandeen warns, “This vulnerability is particularly dangerous because it can be triggered through normal HTTP requests, making detection challenging without specialized tooling”.
Analysis of network traffic from compromised systems reveals attackers using crafted .JSON files to exploit the Java deserialization flaw.
Subsequent payloads observed in the wild include cryptocurrency miners, Cobalt Strike beacons, and custom malware designed to scrape product blueprints.
The U.S. Defense Industrial Base (DIB) has reported multiple incidents where attackers accessed technical data packages for advanced weapon systems.
Oracle recommends the immediate application of Security Alert 26547894 and the disabling of unnecessary FileNet services.
For organizations unable to patch swiftly, network segmentation solutions from vendors like Illumio and Guardicore can isolate PLM instances while allowing controlled CAD file transfers.
CISA emphasizes that virtual patching through web application firewalls (WAFs) with updated rules from Trend Micro and Fortinet provides temporary protection.
The agency’s free vulnerability scanning service now includes dedicated checks for CVE-2024-20953 configurations.
With Oracle Agile PLM used by 89% of Fortune 500 manufacturers, the vulnerability’s reach extends across the aerospace, automotive, and electronics sectors.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
 in Oracle Agile Product.){kind=link}