CVE-2020-9496

Exploitation Summary

CVE-2020-9496 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 10 public exploits from researchers including Adrián Díaz, g33xter, yuaneuro. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages unsafe deserialization in Apache OfBiz 17.12.01 via XMLRPC endpoints to achieve remote command execution. It uses ysoserial to generate malicious payloads and delivers them through crafted XMLRPC requests.

Description

XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03

Exploits (10)

exploitdb WORKING POC

by Adrián Díaz · bashwebappsjava

https://www.exploit-db.com/exploits/50178

View Code ZIP pw:eip

This exploit leverages unsafe deserialization in Apache OfBiz 17.12.01 via XMLRPC endpoints to achieve remote command execution. It uses ysoserial to generate malicious payloads and delivers them through crafted XMLRPC requests.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OfBiz 17.12.01

No auth needed

Prerequisites: Attacker-controlled HTTP server to host shell.sh · Network connectivity to target · ysoserial.jar for payload generation

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 7 stars

by g33xter · remote

https://github.com/g33xter/CVE-2020-9496

View Code ZIP pw:eip

This repository provides a functional exploit for CVE-2020-9496, leveraging unsafe Java deserialization in Apache OFBiz's xmlrpc endpoint to achieve remote code execution (RCE). The PoC uses ysoserial to generate a malicious payload and delivers it via a crafted XMLRPC request.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz versions 17.12.01 and below

No auth needed

Prerequisites: Access to ysoserial JAR file · HTTP server to host shell script · Network access to target's xmlrpc endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 6 stars

by yuaneuro · remote

https://github.com/yuaneuro/ofbiz-poc

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2021-26295, a deserialization vulnerability in Apache OFBiz. The PoC leverages ysoserial to generate malicious payloads and uses DNS logging for verification, demonstrating remote code execution capabilities.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz

No auth needed

Prerequisites: Access to ysoserial.jar · Network access to target OFBiz instance

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 3 stars

by s4dbrd · poc

https://github.com/s4dbrd/CVE-2020-9496

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-9496, an unsafe deserialization vulnerability in Apache OFBiz. The exploit leverages the ysoserial tool to generate malicious payloads and sends them to the vulnerable XML-RPC endpoint, resulting in remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz versions 17.12.01 and below

No auth needed

Prerequisites: Attacker-controlled HTTP server to host payloads · Network connectivity to the target's XML-RPC endpoint · Java runtime environment for ysoserial

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SCANNER 3 stars

by dwisiswant0 · poc

https://github.com/dwisiswant0/CVE-2020-9496

View Code ZIP pw:eip

The repository provides setup instructions for a vulnerable Apache OFBiz environment and references a Nuclei template for detecting CVE-2020-9496, which is a deserialization vulnerability. It does not include direct exploit code but leverages an external scanner.

Classification

Scanner 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz 17.12.01

No auth needed

Prerequisites: Vulnerable Apache OFBiz instance · Nuclei installed

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by Ly0nt4r · remote

https://github.com/Ly0nt4r/CVE-2020-9496

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-9496, targeting Apache OFBiz 17.12.01 via unsafe deserialization in XML-RPC requests. The exploit automates the delivery of a reverse shell payload using ysoserial and curl commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz 17.12.01

No auth needed

Prerequisites: Network access to the target · Python 3 environment · ysoserial JAR file · Netcat listener

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SUSPICIOUS 1 stars

by Vulnmachines · remote

https://github.com/Vulnmachines/apache-ofbiz-CVE-2020-9496

View Code ZIP pw:eip

The repository contains only a README with a YouTube link and no actual exploit code or technical details about CVE-2020-9496. This is indicative of a social engineering lure rather than a legitimate PoC.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: Apache OFBiz

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

gitlab WORKING POC

by ambalabanov · poc

https://gitlab.com/ambalabanov/CVE-2020-9496

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-9496, which targets an unsafe deserialization vulnerability in Apache OFBiz 17.12.03. The exploit uses ysoserial to generate a malicious payload and sends it via an XML-RPC request to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz 17.12.03

No auth needed

Prerequisites: ysoserial.jar · Python dependencies listed in requirements.txt

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 20, 2026 Full analysis →

nomisec WORKING POC

by ambalabanov · remote

https://github.com/ambalabanov/CVE-2020-9496

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-9496, which leverages unsafe deserialization in Apache OFBiz 17.12.03 via XML-RPC requests. The exploit uses ysoserial to generate a malicious payload and sends it to the target endpoint to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz 17.12.03

No auth needed

Prerequisites: ysoserial.jar · Python environment with requests library

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by cyber-niz · remote

https://github.com/cyber-niz/CVE-2020-9496

View Code ZIP pw:eip

This repository provides a functional exploit for CVE-2020-9496, an unsafe deserialization vulnerability in Apache OFBiz. The exploit leverages ysoserial to generate a malicious payload, which is then sent via a crafted XMLRPC request to achieve remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz versions 17.12.01 and below

No auth needed

Prerequisites: Access to ysoserial · HTTP server to host payload · Netcat listener for reverse shell

MITRE ATT&CK