CVE-2023-32315

What is Ignite Realtime Openfire?

Openfire is a widely-deployed open-source XMPP (Jabber) instant messaging server written in Java. It provides real-time messaging, multi-user chat, presence, and extensibility via plugins for enterprises, educational institutions, and government organizations. The Openfire Admin Console is a web-based management interface that controls server configuration, user management, plugin installation, and security settings. Because Openfire servers are often network-accessible and the admin console allows installing Java plugins that run server-side code, unauthorized access to the admin console is equivalent to remote code execution.

Overview

CVE-2023-32315 is a path traversal vulnerability in the Openfire Admin Console's setup endpoint that allows an unauthenticated remote attacker to access restricted administrative pages — including the ability to create new admin users and install malicious plugins for code execution. Openfire patched it in versions 4.7.5 and 4.6.8 released May 23, 2023, but mass exploitation began shortly after public disclosure, with thousands of internet-exposed Openfire instances compromised via web shell installation.

Affected Versions

Note: versions before 3.10.0 may also be affected but are not formally listed.

Technical Details

The vulnerability (CWE-22) exists in the Openfire setup flow. After an initial Openfire installation is complete, the setup wizard endpoint is supposed to be inaccessible. However, by crafting a URL with path traversal sequences (e.g., setup/../<admin-path>), an unauthenticated attacker can reach admin pages that require authentication, because the setup path prefix bypasses the authentication filter.

Once the attacker reaches the admin console without credentials, they can:

1. Create a new admin account — using the user management page accessible via traversal
2. Log in as the new admin — now authenticated with full privileges
3. Upload a malicious Openfire plugin (JAR file) — the admin console's plugin management page allows uploading and activating custom plugins
4. Achieve remote code execution — the malicious plugin runs server-side Java code with the privileges of the Openfire process

This three-step chain (path traversal → admin account creation → plugin RCE) is reliable, fully documented, and was weaponized in mass exploitation campaigns within weeks of CVE publication.

Discovery

The vulnerability was discovered by security researchers. The patch was released by Ignite Realtime before the CVE was widely publicized, but the public advisory and subsequent researcher analysis (notably VulnCheck's August 2023 post) triggered mass exploitation as attackers scanned for unpatched instances.

Exploitation Context

By August 2023, security researchers and VulnCheck observed thousands of compromised Openfire servers with web shell plugins installed, providing persistent backdoor access. The exploitation was broad and opportunistic — internet-connected Openfire servers without the May 2023 patch were mass-compromised within weeks of the VulnCheck writeup. CISA added CVE-2023-32315 to KEV on August 24, 2023, the same day as the WinRAR KEV addition, reflecting a period of active campaign activity.

Remediation

1. Upgrade Openfire to 4.7.5 or 4.6.8 immediately — download from igniterealtime.org/downloads.
2. Audit installed plugins — check the Openfire admin console Plugin Manager for any plugins not installed by your team; malicious plugins installed by attackers may have non-obvious names. Remove all unrecognized plugins.
3. Check for unauthorized admin accounts — review the user list for accounts created without authorization.
4. Restrict admin console access — limit network access to the Openfire admin console (default port 9090/9091) to trusted management hosts only.
5. Review Openfire logs for evidence of the path traversal pattern** (setup/../ in HTTP request logs) to determine if exploitation occurred before patching.
6. Rotate all credentials managed by the Openfire server if compromise is confirmed or suspected.