9 January 2024

Researchers sound alarm over surge in exploitation of critical Apache OFBiz RCE flaw


Researchers sound alarm over surge in exploitation of critical Apache OFBiz RCE flaw

SonicWall researchers said they have been observing thousands of daily attempts to exploit a critical vulnerability in the Apache OFBiz (Open For Business) system for nearly two weeks.

Tracked as CVE-2023-51467, the vulnerability is an authentication bypass flaw, which, if exploited, would allow a remote hacker to circumvent authentication processes, enabling them to remotely execute arbitrary code. The flaw was first disclosed in December 2023, and since then, attackers have been relentless in their efforts to exploit it.

OFBiz, with its wide install base, has become a prime target for malicious actors seeking to compromise the security of organizations relying on the open-source ERP system. Notably, Apache OFBiz is extensively used in various software applications, including Atlassian Jira, which is utilized by more than 120,000 companies.

Security researchers from The ShadowServer Foundation reported last month that they observed a surge in scanning activities using a published proof of concept for CVE-2023-49070, a pre-authenticated Remote Code Execution (RCE) flaw in Apache OFBiz. The flaw exists due to the presence of an unmaintained XML-RPC interface, which can be abused by a remote hacker to compromise the affected system. It was addressed in OFBiz version 18.12.10, released on December 5, 2023.

Apache OFBiz users are strongly advised to upgrade their systems to at least version 18.12.11. SonicWall researchers developed an Intrusion Prevention System (IPS) signature, IPS:15949, specifically designed to detect and thwart active exploitation attempts targeting the identified vulnerability.

Separately, Shadowserver has warned of a rise in scanning and exploitation attempts against Apache RocketMQ services vulnerable to a remote command execution flaw identified as CVE-2023-33246 and CVE-2023-37582.


Back to the list

Latest Posts

Massive botnet abuses misconfigured DNS records to deliver malware

Massive botnet abuses misconfigured DNS records to deliver malware

The threat actor took advantage of SPF records with an overly permissive configuration option, which allows any server to send emails on behalf of a domain.
16 January 2025
Russia-linked hackers increasingly exploiting legitimate services in Ukraine to carry out cyberattacks

Russia-linked hackers increasingly exploiting legitimate services in Ukraine to carry out cyberattacks

Most of the cyberattacks targeting Ukraine over the past year were intended for espionage, financial theft, or to inflict psychological damage.
16 January 2025
Codefinger hackers target Amazon S3 buckets with encryption attacks

Codefinger hackers target Amazon S3 buckets with encryption attacks

The attacks rely on AWS's Server-Side Encryption with Customer-Provided Keys (SSE-C) feature.
15 January 2025