The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added critical security flaw affecting Apache OFBiz open source enterprise resource planning (ERP) system for its known vulnerabilities (KEV) catalog with reference to evidence of active exploitation in the wild.
The vulnerability, known as CVE-2024-38856, has a CVSS score of 9.8, indicating critical severity.
“Apache OFBiz contains an incorrect authorization vulnerability that could allow an unauthenticated attacker to execute remote code via a Groovy payload in the context of an OFBiz user process,” CISA said.
Details of the vulnerability first came to light earlier this month after SonicWall described it as a patch bypass for another flaw, CVE-2024-36104, which enables remote code execution through specially crafted queries.
“A flaw in the view override feature exposes critical endpoints to unauthenticated threat actors via a special request, opening the way for remote code execution,” – SonicWall researcher Khasib Vgora said.
This development comes nearly three weeks after CISA placed a third flaw affecting Apache OFBiz (CVE-2024-32113) in the KEV directory following reports that it was used to deploy the Mirai botnet.
While there are currently no public reports of CVE-2024-38856 being weaponized in the wild, proof-of-concept (PoC) exploits have been made. publicly available.
The active exploitation of the two Apache OFBiz flaws is a sign that attackers have a significant interest and tendency to pounce on publicly disclosed vulnerabilities to opportunistically compromise susceptible instances for nefarious purposes.
Organizations are encouraged to upgrade to 18.12.15 to mitigate the threat. The Federal Civil Executive Board (FCEB) has been instructed to implement the necessary updates by September 17, 2024.
