CWE-CWE-502

,

AV:N/AC:M/Au:N/C:N/I:P/A:N

,

Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496/CVE-2023-49070)

Severity:

High

Summary

Webtools XMLRPC endpoint of Apache OFBiz uses unsafe java deserialization and it's vulnerable to deserialization attacks. An attacker could exploit this vulnerability using specially-crafted serialized data to execute arbitrary code on the system or to perform a denial of service attack.

Impact

A remote attacker can gain Remote Code Execution

Remediation

Upgrade to the latest version of Apache OFBiz

Required Skills for Successful Exploitation

Actions To Take

Classifications

,

AV:N/AC:M/Au:N/C:N/I:P/A:N

,

Vulnerability Index

You can search and find all vulnerabilities

Select Category

Select Vulnerability

Select Vulnerability

Related Vulnerabilities

Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496/CVE-2023-49070)

Sitecore XM/XP Insecure Deserialization (CVE-2025-27218)

Oracle Access Manager 'opensso' Deserialization RCE (CVE-2021-35587)

SharePoint "ToolShell" RCE (CVE-2025-49704/CVE-2025-49706/CVE-2025-53770/CVE-2025-53771)

Apache OFBiz SOAPService Deserialization RCE

Featured resources

Strengthening enterprise application security: Invicti acquires Kondukto

Read this article

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Read this article

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Read this article

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Read this article

Strengthening enterprise application security: Invicti acquires Kondukto

Read this article

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Read this article

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Read this article

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Read this article

View all resources

Build your resistance to threats. And save hundreds of hours each month.