Cyber Resilience

CVE-2025-54466

CriticalRCE

Published: 15 August 2025

Published
15 August 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0048 65.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54466 is a critical-severity Code Injection (CWE-94) vulnerability in Apache Ofbiz. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-54466 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified under CWE-94, that enables potential remote code execution (RCE) in the scrum plugin of Apache OFBiz. This issue affects Apache OFBiz versions prior to 24.09.02, but only when the scrum plugin is in use. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows remote code execution on the affected system, potentially granting full control to the attacker.

Apache advisories recommend upgrading to version 24.09.02, which resolves the issue. Additional details are available in the official JIRA ticket (OFBIZ-13276), mailing list announcement, download page, release notes for 24.09.02, and the Apache OFBiz security page.

EU & UK References

Vulnerability details

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability.…

more

Users are recommended to upgrade to version 24.09.02, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated RCE via code injection in a public-facing web application (Apache OFBiz scrum plugin).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-46586Same product: Apache Ofbiz
CVE-2026-31910Same product: Apache Ofbiz
CVE-2026-29226Same product: Apache Ofbiz
CVE-2026-45434Same product: Apache Ofbiz
CVE-2026-31909Same product: Apache Ofbiz
CVE-2026-41919Same product: Apache Ofbiz
CVE-2026-35194Same vendor: Apache
CVE-2026-31986Same product: Apache Ofbiz
CVE-2025-59059Same vendor: Apache
CVE-2026-40563Same vendor: Apache

Affected Assets

apache
ofbiz
≤ 24.09.02

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the code injection flaw by applying the vendor-recommended upgrade to Apache OFBiz 24.09.02.

prevent

Requires validation of all information inputs to block malicious code injection via unauthenticated requests to the scrum plugin.

prevent

Limits system to least functionality by permitting disablement of the unnecessary scrum plugin, thereby eliminating exposure to this vulnerability.

References