On Tuesday, The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a significant security weakness in the Apache OFBiz open-source enterprise resource planning (ERP) system to its Known Exploited Vulnerabilities (KEV) list, noting evidence of ongoing exploitation.
The issue, identified as CVE-2024-38856, has a CVSS rating of 9.8, signifying a critical level of severity. CISA stated, “Apache OFBiz has a flaw in authorization that could permit remote code execution through a Groovy payload within the OFBiz user process by an unauthenticated attacker.”
This vulnerability was first revealed earlier this month when SonicWall labeled it as a workaround bypass for another vulnerability, CVE-2024-36104, which allows remote code execution through customized requests.