Trending
ee-track">
Link copied!

The Re-Emergence of CVE-2024-32113: How CVE-2024-45195 has amplified Exploitation Risks

The Cyble Global Sensor Intelligence Network (CGSI) detected active exploitation attempts of the Apache OFBiz vulnerability CVE-2024-32113, leading to unauthorized remote code execution.

September 10, 2024 · 3 min read
The Re-Emergence of CVE-2024-32113: How CVE-2024-45195 has amplified Exploitation Risks

Overview

On September 7, 2024, Cyble Global Sensor Intelligence (CGSI) identified the active exploitation of CVE-2024-32113, a critical path traversal vulnerability in the Apache OFBiz open-source enterprise resource planning (ERP) system. This flaw was initially addressed on April 12, 2024, with a formal patch released on May 8, 2024. CVE-2024-32113 allows Threat Actors (TAs) to execute arbitrary commands by sending specially crafted requests, enabling them to gain unauthorized access and execute arbitrary commands.

On September 4, 2024, the identification of CVE-2024-45195 reignited concerns surrounding Apache OFBiz by revealing a bypass for several previously addressed vulnerabilities, notably CVE-2024-32113. This development has intensified the exploitation of CVE-2024-32113, as attackers exploit the flaw’s resurgence to compromise vulnerable systems and deploy malicious payloads. Researchers also observed active exploitation of this vulnerability to deploy the Mirai botnet on the compromised systems.

Cyble Global Sensor Intelligence (CGSI) findings

Cyble Global Sensor Intelligence (CGSI) detected exploitation attempts of CVE-2024-32113 on September 4, 2024. In the instances recorded by CGSI, as illustrated in the figure below, an attacker attempted to access the endpoint /webtools/control/forgotPassword;/ProgramExport through a POST request.

Screenshot of exploitation attempts observed via CGSI network
Figure 1 – Screenshot of exploitation attempts observed via CGSI network

Vulnerability Details

Remote Code Execution

CVE-2024-32113

CVSSv3.1

9.1

Severity

Critical

Vulnerable Software Versions

Apache OFBi versions before 18.12.13

Description

The affected versions of the Apache OFBiz system contain a Path Traversal vulnerability due to improper limitation of pathnames to restricted directory.

Overview of the Exploit

The vulnerability arises from a fragmented state between the application’s current controller and view map due to the use of different parsing methods for incoming URI patterns. When attackers send unexpected URI requests, the logic for retrieving the authenticated view map can become confused, granting the attacker unauthorized access.

Exploitation occurs when an attacker submits a crafted request to the endpoint /webtools/control/forgotPassword;/ProgramExport, embedding a payload that executes Groovy scripts. This enables arbitrary commands to be run on the server. For instance, a payload could be used to execute the id command, which returns user and group IDs, thereby revealing sensitive information about the server environment.

Figure 2 Executing Commands with Payload
Figure 2 – Executing Commands with Payload

Mitigation

CVE-2024-32113 affects Apache OFBiz versions prior to 18.12.13. However, version 18.12.13 remains vulnerable to CVE-2024-45195. Therefore, users are advised to upgrade to the latest version, 18.12.16, which addresses both vulnerabilities.

Recommendations

The recommendations to defend against the exploitation of CVE-2024-32113 and related vulnerabilities are as follows:

  • Upgrade Apache OFBiz to version 18.12.16 or the latest version available. This version addresses both CVE-2024-32113 and CVE-2024-45195.
  • Configure and deploy a WAF to filter and monitor HTTP requests, blocking attempts that exploit path traversal and other known attack vectors.
  • Apply the principle of least privilege to limit the potential impact of any successful exploitation.
  • Regularly review logs for unusual activities, such as unauthorized access attempts or suspicious requests to vulnerable endpoints.

Indicators of Compromise

IndicatorsIndicator
Type
Description
185[.]190[.]24[.]111IPv4Malicious IP

References

AI Threat Intelligence

Stop Executive Threats
Before They Strike

Monitor dark web chatter, detect lookalike domains, and protect your C-suite from targeted impersonation — in real time, across 50+ countries.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams