AV:N/AC:M/Au:N/C:C/I:C/A:C

,

CWE-CWE-502

,

Apache OFBiz SOAPService Deserialization RCE

Severity:

High

Summary

Apache OFBiz versions prior to 17.12.06 are vulnerable to a Java deserialization vulnerability that affects the unauthenticated SOAP endpoint /webtools/control/SOAPService. This vulnerability allows an attacker to execute arbitrary code on the affected system.

Impact

An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.

Remediation

Upgrade to the latest version of Apache OFBiz. This issue was fixed in version 17.12.06.

Required Skills for Successful Exploitation

Actions To Take

Classifications

AV:N/AC:M/Au:N/C:C/I:C/A:C

,

,

Vulnerability Index

You can search and find all vulnerabilities

Select Category

Select Vulnerability

Related Vulnerabilities

SharePoint "ToolShell" RCE (CVE-2025-49704/CVE-2025-49706/CVE-2025-53770/CVE-2025-53771)

Oracle Access Manager 'opensso' Deserialization RCE (CVE-2021-35587)

Apache OFBiz SOAPService Deserialization RCE

Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496/CVE-2023-49070)

Sitecore XM/XP Insecure Deserialization (CVE-2025-27218)

Featured resources

Strengthening enterprise application security: Invicti acquires Kondukto

Read this article

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Read this article

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Read this article

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Read this article

No items found.

View all resources

Build your resistance to threats. And save hundreds of hours each month.