Oracle fixes a security vulnerability in its software that could have allowed hackers to steal business files.

Oracle has resolved a vulnerability in its Oracle Agile Product Lifecycle Management (PLM) product that allowed attackers to obtain files from the platform. This flaw, identified as CVE-2024-21287, was exploited in the wild as a zero-day, prompting the company to urge users to apply the patch immediately to protect their systems.

The Oracle Agile PLM software is used by over 1,100 companies, primarily large corporations with more than 10,000 employees and revenues exceeding one billion dollars. The exact number of individual users varies by organization and its implementation of the software; however, it is not publicly disclosed.

The vulnerability presents a severity level rated as high, with a score of 7.5. Oracle clarified that it can be exploited remotely without authentication, meaning an attacker could access the information without requiring a username or password. If left unaddressed, this could result in the disclosure of sensitive files.

Although in an initial communication the company did not confirm the active exploitation of this flaw, a subsequent post by the company’s Vice President of Security, Eric Maurice, corroborated it by stating that CrowdStrike had reported the vulnerability as being exploited in the wild.

At the time of publication, no further details were available regarding the threat actors or their targets. However, the emphasis is placed on the importance of applying the patch as soon as possible as a precautionary measure.