CISA Flags Critical Apache OFBiz Flaw Amid Active Exploitation Reports
28-August-24
CISA has added a critical vulnerability in the Apache OFBiz ERP system, known as CVE-2024-38856, to its Known Exploited Vulnerabilities catalog. This flaw, with a severe CVSS score of 9.8, allows unauthenticated attackers to execute remote code via a Groovy payload. Discovered earlier this month, the vulnerability is part of a series of issues affecting OFBiz, including a previous flaw, CVE-2024-36104, which also enabled remote code execution. Although there are no public reports of CVE-2024-38856 being exploited yet, proof-of-concept exploits are available. Organizations are advised to update to version 18.12.15 to mitigate the risk, with a deadline for federal agencies set for September 17, 2024.
