Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Second Apache OFBiz Vulnerability Exploited in Attacks

CISA is warning organizations that a second Apache OFBiz flaw is being exploited in the wild shortly after the release of PoC exploits.

Apache OFBiz exploited

The US cybersecurity agency CISA on Tuesday added a second Apache OFBiz flaw to its Known Exploited Vulnerabilities (KEV) catalog.

The vulnerability, tracked as CVE-2024-38856, has been described as an incorrect authorization issue that can allow unauthenticated endpoints to execute screen rendering code under certain conditions. 

Apache OFBiz versions through 18.12.14 are impacted, and version 18.12.15 includes a fix.  

SonicWall, whose researchers discovered the vulnerability, described it as a critical issue that can allow unauthenticated remote code execution.

Proof-of-concept (PoC) exploits targeting CVE-2024-38856 started emerging after the flaw’s disclosure in early August, and now CISA is warning organizations about attacks exploiting the weakness

No information has been shared about the attacks. 

CVE-2024-38856 is the second Apache OFBiz vulnerability that has been exploited in attacks in recent weeks. 

The other flaw, tracked as CVE-2024-32113, was discovered in May and exploitation attempts were first spotted in late July. This is a path traversal bug that could lead to remote command execution.

Advertisement. Scroll to continue reading.

The SANS Technology Institute’s Internet Storm Center reported seeing evidence that threat actors may have tried to add an exploit for CVE-2024-32113 to variants of the Mirai botnet. 

Apache OFBiz, a free framework for creating ERP applications, is used by many companies, mainly in the United States, but also in India and Europe. 

Related: Critical Apache OFBiz Vulnerability in Attacker Crosshairs

Related: CISA Warns of Exploited Vulnerabilities Impacting Dahua Products

Related: CISA Warns of Avtech Camera Vulnerability Exploited in Wild

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights