CVE-2023-49070

Exploitation Summary

CVE-2023-49070 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 9 public exploits from researchers including abdoghazy2015, D0g3-8Bit, UserConnecting, including a Metasploit module exploits/linux/http/apache_ofbiz_deserialization. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-49070, a pre-authentication RCE vulnerability in Apache OFBiz due to XML-RPC Java deserialization. The exploit leverages ysoserial to generate payloads for RCE, DNS exfiltration, and reverse shell attacks.

Description

Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10

Exploits (9)

nomisec WORKING POC 59 stars

by abdoghazy2015 · remote

https://github.com/abdoghazy2015/ofbiz-CVE-2023-49070-RCE-POC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-49070, a pre-authentication RCE vulnerability in Apache OFBiz due to XML-RPC Java deserialization. The exploit leverages ysoserial to generate payloads for RCE, DNS exfiltration, and reverse shell attacks.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz < 18.12.10

No auth needed

Prerequisites: Java runtime environment (v11) · ysoserial-all.jar in the same directory

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 18 stars

by D0g3-8Bit · local

https://github.com/D0g3-8Bit/OFBiz-Attack

View Code ZIP pw:eip

This repository contains a functional exploit tool for CVE-2023-49070 and CVE-2023-51467 in Apache OFBiz, featuring modules for vulnerability detection, command execution, and memory shell injection. The tool is implemented in Java with a GUI interface and leverages deserialization and Groovy script execution for exploitation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz 18.12.09

No auth needed

Prerequisites: Target URL with vulnerable OFBiz instance · Network access to the target

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 4 stars

by UserConnecting · remote

https://github.com/UserConnecting/Exploit-CVE-2023-49070-and-CVE-2023-51467-Apache-OFBiz

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-49070 and CVE-2023-51467, targeting Apache OFBiz versions prior to 18.12.10. The exploit leverages an authentication bypass and deserialization vulnerability to achieve remote code execution (RCE) or a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz < 18.12.10

No auth needed

Prerequisites: Java runtime environment (preferably Java 11) · ysoserial-all.jar in the same directory as the exploit

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by yukselberkay · remote

https://github.com/yukselberkay/CVE-2023-49070_CVE-2023-51467

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2023-49070, leveraging deserialization via ysoserial to achieve remote code execution (RCE) on Apache OFBiz. It also includes a scanner to detect CVE-2023-51467 by checking for a vulnerable endpoint response.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz

No auth needed

Prerequisites: Java runtime · ysoserial.jar · network access to target

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by 0xrobiul · remote

https://github.com/0xrobiul/CVE-2023-49070

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-49070, a pre-authentication RCE vulnerability in Apache OFBiz. The exploit leverages deserialization via XML-RPC with a YSoSerial payload to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz

No auth needed

Prerequisites: OpenJDK 11 · ysoserial-all.jar

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github SCANNER

by dyeat · pythonpoc

https://github.com/dyeat/cve-reproduction/tree/main/Apache/OFBiz/CVE-2023-49070

View Code ZIP pw:eip

The repository contains a Python script that checks the version of Apache OFBiz by sending an HTTP request to a specific endpoint and parsing the response to determine if the target is vulnerable to CVE-2023-49070. It does not exploit the vulnerability but scans for its presence.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Apache OFBiz versions below 18.12.10

No auth needed

Prerequisites: Network access to the target Apache OFBiz instance

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 22, 2026 Full analysis →

nomisec WORKING POC

by Praison001 · remote

https://github.com/Praison001/Apache-OFBiz-Auth-Bypass-and-RCE-Exploit-CVE-2023-49070-CVE-2023-51467

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-49070 and CVE-2023-51467, targeting Apache OFBiz. The exploit leverages XML-RPC deserialization to achieve pre-authentication RCE via a reverse shell payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz 18.12.10 and below

No auth needed

Prerequisites: ysoserial-all.jar in the same directory · Java environment for serialization · Network connectivity to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-49070, an authentication bypass vulnerability in Apache OFBiz. The exploit leverages deserialization via ysoserial to achieve remote code execution (RCE) on vulnerable instances.

Classification

Working Poc 95%

Attack Type

Auth Bypass | Deserialization | Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz (versions affected by CVE-2023-49070)

No auth needed

Prerequisites: ysoserial-all.jar · network access to target · vulnerable Apache OFBiz instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Alvaro Muñoz, wvu, h00die · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_ofbiz_deserialization.rb

View Code ZIP pw:eip

This Metasploit module exploits a Java deserialization vulnerability in Apache OFBiz's XML-RPC endpoint, leveraging either the ROME or CommonsBeanutils1 gadget chains depending on the target version. It includes an authentication bypass for versions up to 18.12.11 via CVE-2023-51467.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache OFBiz versions prior to 17.12.01 and up to 18.12.11

No auth needed

Prerequisites: Network access to the target's XML-RPC endpoint · Vulnerable version of Apache OFBiz

MITRE ATT&CK