Check out this excellent writeup on an Apache OFBiz deserialization vuln from my coworker Dusan (I just reviewed the writeup):
https://www.zerodayinitiative.com/blog/2020/9/14/cve-2020-9496-rce-in-apache-ofbiz-xmlrpc-via-deserialization-of-untrusted-data
This is essentially what one of the core parts of our N-day research reports looks like.
A Mastodon instance for info/cyber security-minded people.