Cyber Posture

CVE-2025-54466

CriticalRCE

Published: 15 August 2025

Published
15 August 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54466 is a critical-severity Code Injection (CWE-94) vulnerability in Apache Ofbiz. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely remediation of the code injection flaw by applying the vendor-recommended upgrade to Apache OFBiz 24.09.02.

SI-10 Information Input Validation good match
prevent

Requires validation of all information inputs to block malicious code injection via unauthenticated requests to the scrum plugin.

CM-7 Least Functionality partial match
prevent

Limits system to least functionality by permitting disablement of the unnecessary scrum plugin, thereby eliminating exposure to this vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Direct unauthenticated RCE via code injection in a public-facing web application (Apache OFBiz scrum plugin).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability.…

more

Users are recommended to upgrade to version 24.09.02, which fixes the issue.

Deeper analysisAI

CVE-2025-54466 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified under CWE-94, that enables potential remote code execution (RCE) in the scrum plugin of Apache OFBiz. This issue affects Apache OFBiz versions prior to 24.09.02, but only when the scrum plugin is in use. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows remote code execution on the affected system, potentially granting full control to the attacker.

Apache advisories recommend upgrading to version 24.09.02, which resolves the issue. Additional details are available in the official JIRA ticket (OFBIZ-13276), mailing list announcement, download page, release notes for 24.09.02, and the Apache OFBiz security page.

Details

CWE(s)
CWE-94

Affected Products

apache
ofbiz
≤ 24.09.02

CVEs Like This One

CVE-2025-59059Same vendor: Apache
CVE-2025-33042Same vendor: Apache
CVE-2026-40563Same vendor: Apache
CVE-2025-54550Same vendor: Apache
CVE-2024-51941Same vendor: Apache
CVE-2024-56373Same vendor: Apache
CVE-2026-34197Same vendor: Apache
CVE-2026-40466Same vendor: Apache
CVE-2025-24783Same vendor: Apache
CVE-2026-24343Same vendor: Apache

References