top of page
Search

Critical Apache OFBiz Flaw (CVE-2025-59118) Enables Remote Command Execution through Unrestricted File Upload

  • Nov 12, 2025
  • 1 min read

Key Findings


  • Newly disclosed vulnerabilities in Apache OFBiz, an open-source ERP platform

  • CVE-2025-59118: Unrestricted File Upload vulnerability allowing remote command execution (RCE)

  • CVE-2025-61623: Reflected cross-site scripting (XSS) vulnerability


Background


Apache OFBiz is an open-source enterprise resource planning (ERP) software used for managing critical business workflows, including accounting, e-commerce, and inventory management. As a widely adopted ERP platform, vulnerabilities in OFBiz can have significant impact on organizations that rely on it.


CVE-2025-59118: Unrestricted File Upload Vulnerability


  • Classified as an "Unrestricted Upload of File with Dangerous Type" vulnerability

  • Allows remote attackers to upload arbitrary files, such as malicious scripts, without proper validation or sanitization

  • Enables remote command execution (RCE) under the context of the running service

  • Gives attackers complete control over the underlying operating system and the ability to execute arbitrary commands, deploy web shells, or pivot deeper into the network


CVE-2025-61623: Reflected Cross-Site Scripting (XSS) Vulnerability


  • Allows attackers to inject malicious JavaScript into the browser of unsuspecting users via manipulated URLs or crafted input parameters

  • Can be used to steal session cookies, impersonate users, or perform unauthorized actions within OFBiz's web management console

  • Poses a significant threat in multi-user administrative environments, especially when combined with social engineering or phishing campaigns


Mitigation and Recommendations


  • The Apache Software Foundation (ASF) has released version 24.09.03, which fully addresses the vulnerabilities

  • ASF strongly urges immediate upgrades to mitigate the risks of exploitation

  • Organizations using Apache OFBiz should prioritize applying the security update to protect their critical business systems and data


Sources


  • https://securityonline.info/critical-apache-ofbiz-flaw-cve-2025-59118-allows-remote-command-execution-via-unrestricted-file-upload/

  • https://securityonline.info/critical-synology-beestation-zero-day-cve-2025-12686-found-at-pwn2own-allows-remote-code-execution/

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page