The Cybersecurity and Infrastructure Security Agency (CISA) has added two newly identified vulnerabilities affecting Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM) to its Known Exploited Vulnerabilities (KEV) catalog. This decision is based on evidence of active exploitation of these security flaws.
The first vulnerability, CVE-2017-3066, stems from a deserialization issue within the Apache BlazeDS library, which is utilized in Adobe ColdFusion. This flaw enables attackers to execute arbitrary code. Although a patch was issued as early as April 2017, unpatched systems remain at significant risk, highlighting the persistent threat posed by legacy vulnerabilities.
The second vulnerability, CVE-2024-20953, was discovered in Oracle Agile PLM and is likewise linked to unsafe deserialization. It allows an attacker with limited network privileges to compromise the system via HTTP requests. A security patch addressing this issue was released in January 2024.
While there are currently no public reports confirming widespread exploitation of these specific vulnerabilities, attackers demonstrated an active interest in Oracle Agile PLM in late 2024, when CVE-2024-21287 was extensively leveraged in malicious campaigns. This ongoing focus suggests that threat actors continue to target the platform.
CISA strongly urges organizations to apply security patches immediately to mitigate the risk of exploitation. U.S. federal agencies are mandated to remediate these vulnerabilities by March 17, 2025.
Security experts warn that these vulnerabilities could become part of broader attack campaigns. Organizations are advised to enhance network monitoring, proactively apply security updates, and remain vigilant against emerging threats.
Keeping software up to date is not merely a recommendation but a critical necessity for businesses, as cybercriminals persistently exploit even long-patched vulnerabilities in outdated systems. Delayed security measures transform overlooked risks into direct threats, reinforcing the importance of timely updates and robust cybersecurity practices.
