What happened

CISA added CVE-2024-20953 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-02-24, with a remediation due date of 2025-03-17, signaling confirmed exploitation in the wild CISA KEV. The flaw is a deserialization vulnerability in Oracle Agile Product Lifecycle Management (PLM) that enables a low-privileged attacker with network access via HTTP to compromise the system NVD entry. The CVE record corroborates the issue and maps it to CWE-502 (Deserialization of Untrusted Data) MITRE CVE.

Why it matters

KEV inclusion means adversaries are actively leveraging this bug, not just scanning for it CISA KEV. Insecure deserialization is high-impact: crafted objects can drive unintended code paths, frequently enabling full system compromise or code execution paths when inputs cross trust boundaries CWE-502. The attack surface here is reachable over HTTP, making exploitation feasible from any position with network reach to the PLM service—no need for deep privilege to start the chain NVD entry.

Technical detail

Oracle Agile PLM mishandles deserialization of untrusted data, allowing a low-privileged network attacker to compromise the application over HTTP NVD entry. This aligns directly to CWE-502, where untrusted serialized data is parsed into objects, enabling attacker-controlled state to influence execution flow or invoke gadget chains within the application context CWE-502. The authoritative CVE record confirms the product and weakness classification, reinforcing that the root issue is unsafe deserialization semantics MITRE CVE.

Because the vector is HTTP, the vulnerable code is exercised at the application boundary, not strictly inside an authenticated admin path, which expands viable entry points for low-privileged sessions or service accounts NVD entry. KEV status indicates real-world exploitation pressure and should be treated as an active threat rather than a theoretical weakness CISA KEV. From a weakness taxonomy standpoint, the mitigation posture must focus on eliminating unsafe deserialization and validating/controlling any serialized input that crosses trust boundaries CWE-502.

Defense

CISA’s required action is unambiguous: apply vendor mitigations per instructions or discontinue use if mitigations are unavailable, by the KEV due date CISA KEV. Prioritize patching or configuration changes that remove or restrict the vulnerable deserialization paths identified for CVE-2024-20953 MITRE CVE.

Constrain reachability: restrict the PLM HTTP interface to trusted network segments and authenticated front ends, reducing exposure of deserialization endpoints to low-privileged users on broad networks NVD entry. If segmentation cannot be immediate, deploy compensating controls such as strict request validation to block serialized object blobs and disallow untrusted types at deserialization boundaries (avoid deserializing user-controlled data) CWE-502.

Harden the app layer: disable or replace insecure serialization formats where possible, enforce allow-lists for types, and treat any cross-boundary object input as hostile per CWE-502 defensive guidance CWE-502. Increase monitoring around PLM: alert on unusual HTTP requests that match serialized payload signatures and correlate with unexpected application errors or crashes on deserialization paths that map to the CVE NVD entry.

Lyrie Verdict

CVE-2024-20953 is being exploited now, and the vector is HTTP—perfect for automated spraying by bots and agentic tooling that can iterate payloads at scale CISA KEV. Countering that requires autonomous controls that operate at wire speed: inspect inbound request structure, detect serialized object streams and type metadata indicative of unsafe deserialization, and block decode attempts crossing trust boundaries per CWE-502 guidance CWE-502. Lyrie’s mandate is anti-rogue-AI defense at machine speed: continuously profiling request patterns to PLM endpoints exposed over HTTP, auto-isolating flows that match exploitation sequences, and forcing immediate mitigation ahead of human triage while the KEV window remains active NVD entry.