Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-45434 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-45434 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-45434 is a critical improper authentication vulnerability in Apache OFBiz, an open-source enterprise resource planning platform, arising from a flaw in the application's password-change logic that can be leveraged to achieve remote code execution.

Technical Detail

The vulnerability exists in Apache OFBiz versions prior to 24.09.06, where the password-change workflow fails to properly authenticate or authorize the requesting party before processing the operation. An unauthenticated or insufficiently privileged remote attacker can exploit this logic flaw to bypass authentication controls and ultimately execute arbitrary code on the underlying server. The combination of authentication bypass and code execution capability places this vulnerability at the highest tier of exploitability, reflected in its CVSS score of 9.8.

Exploitation Status

No known exploit has been publicly documented or confirmed as of this briefing. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. While no proof-of-concept or operational exploit has been observed in the wild, the critical severity and the history of Apache OFBiz vulnerabilities attracting rapid weaponization warrant close monitoring for emerging exploit activity.

Who Is Targeting This

Confirmed (ATTAX-verified): Dragonfly (Russia, nation-state motivation), APT28 (Russia, nation-state motivation), OilRig (Iran, nation-state motivation), CURIUM (Iran, nation-state motivation), and Medusa Group (origin unknown, motivation unknown) have all been attributed with high confidence in relation to this vulnerability. The presence of multiple distinct nation-state actors from Russia and Iran, alongside a separate criminal or unattributed group, indicates broad adversarial interest. No additional reported or research-inferred actors are listed beyond those confirmed.

What To Do

Organizations running Apache OFBiz should upgrade to version 24.09.06 or later immediately, as this is the vendor-recommended remediation. Given the critical CVSS score and confirmed interest from multiple high-capability threat actors, this patch should be treated as an emergency priority regardless of current exploit availability. Where immediate patching is not feasible, restrict external access to OFBiz instances, enforce network-level controls to limit exposure of the application to trusted IP ranges, and review authentication and access logs for anomalous password-change requests or unexpected session activity. Monitor vendor advisories and threat intelligence feeds for any emerging exploit code targeting this vulnerability.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →