What happened

CISA added CVE-2024-21287 to the Known Exploited Vulnerabilities (KEV) catalog on 2024-11-21, indicating active exploitation in the wild CISA KEV. The vulnerability affects Oracle Agile Product Lifecycle Management (PLM) and stems from incorrect authorization within the Software Development Kit (SDK) Process Extension component CISA KEV. The impact is unauthenticated file disclosure if successfully exploited NVD entry.

CISA’s required action is to apply vendor mitigations or discontinue use if mitigations are unavailable, with a remediation due date of 2024-12-12 for federal enterprises CISA KEV. The associated weakness maps to CWE-863 (Incorrect Authorization) per the public record NVD entry. The MITRE record tracks the identifier and references for coordination MITRE CVE.

Why it matters

Incorrect authorization defects let unauthenticated actors access resources intended for authorized users NVD entry. In this case, the result is file disclosure without prior authentication, which is explicitly called out in the CVE description CISA KEV. Placing the issue in KEV signals confirmed exploitation and elevates urgency for patching and compensating controls CISA KEV.

Because Agile PLM is used to manage critical product data, any path that exposes files without authentication creates a direct data-loss and downstream supply-chain risk surface NVD entry. The KEV inclusion also means opportunistic scanning and exploitation will likely accelerate, as adversaries routinely prioritize KEV-listed issues CISA KEV.

Technical detail

The flaw is categorized as an incorrect authorization vulnerability in the Process Extension component of the Oracle Agile PLM SDK CISA KEV. Incorrect authorization (CWE-863) covers cases where the system fails to enforce permissions correctly after or independent of authentication checks, enabling access by unauthorized principals NVD entry. For CVE-2024-21287, the observable outcome is unauthenticated file disclosure via the affected component if an attacker reaches the vulnerable path NVD entry.

CISA records this as a known exploited issue and sets an enforceable remediation timeline for federal civilian agencies, reflecting active adversary use CISA KEV. The MITRE CVE entry provides the authoritative CVE reference and links back to public data sources supporting coordination across vendors and defenders MITRE CVE.

Defense

• Patch/mitigate now per vendor guidance or discontinue use if no mitigation exists, as mandated in the KEV notice CISA KEV.
• Prioritize internet-exposed or partner-accessible Agile PLM instances for immediate remediation and validation, given the unauthenticated access outcome NVD entry.
• Tighten exposure: restrict network access to Agile PLM services to trusted segments and require upstream authentication at gateways while you roll out fixes CISA KEV.
• Detection hypotheses to deploy immediately:

- Alert on file retrievals from the PLM application returning 200/206 to unauthenticated or anonymous sessions over HTTP(S) NVD entry.

- Flag bursts of sequential file access patterns or directory-style enumeration without corresponding login events CISA KEV.

- Hunt for anomalies in user-agent or source ASN diversity targeting PLM endpoints consistent with opportunistic KEV-driven scanning CISA KEV.

• Asset accountability: identify all Oracle Agile PLM instances and SDK integrations to ensure complete coverage of updates and configuration hardening MITRE CVE.

Document and validate mitigations against a representative test that attempts unauthenticated access to files via the affected surface; remediation is only complete when unauthorized retrieval is blocked end-to-end NVD entry.

Lyrie Verdict

This is a machine-speed exfil problem: the path from “unauthenticated request” to “file disclosure” is direct, noiseless, and scriptable NVD entry. Lyrie deploys autonomous detections for KEV-listed issues, watching for unsessioned file responses, enumeration stride patterns, and credential-less access surges targeting PLM services in real time CISA KEV. Concretely, we:

• Correlate HTTP response codes, cookie presence, and object size to catch unauthorized file delivery with sub-second latency NVD entry.
• Elevate any match involving Oracle Agile PLM fingerprints to containment workflows automatically when KEV status is active CISA KEV.
• Feed detections into closed-loop policy to throttle, tarp, or isolate the PLM service while operators patch, preventing rogue automation from emptying repositories CISA KEV.

Bottom line: KEV means it’s being hit now. Treat unauthenticated file access patterns as a high-fidelity signal and let autonomous controls cut dwell time to seconds CISA KEV.