cbcvebase.
CVE-2023-32315
published 2023-05-26

CVE-2023-32315: Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be…

PriorityP192high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-09-14
Exploited in the wild
EPSS
100.00%
100.0th percentile
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.

Affected

4 ranges
VendorProductVersion rangeFixed in
igniterealtimeopenfire
igniterealtimeopenfire
igniterealtimeopenfire>= 3.10.0 < 4.6.84.6.8
igniterealtimeopenfire>= 4.7.0 < 4.7.54.7.5

Detection & IOCsextracted from sources · hover to see the quote

filenamehelloworld-openfire-plugin-assembly.jar
filenamebookmarks-openfire-plugin-assembly.jar
filenameplugin.jar
other.locked1
hash1bf1efeadedf52c0ed50941b10a2f468
hasha7bee104bb486ad0f10331233cc9a9f1
hash0dc2c71ce9c6c34668e9636abf61b1ae
otherUpdate service for Windows Service
other4ASk4RhUyLL7sxE9cPyBiXb82ofekJg2SKiv4MKtCbzwHHLQxVVfVr4D4xhQHyyMTieSM5VUFGR9jZVR5gp6sa1Q2p8SahC
hashff1706b37fea16d75b739a5396d9ffba
  • Attackers exploit CVE-2023-32315 to create a new admin user named 'OpenfireSupport' — monitor Openfire admin console for unexpected new admin account creation.
  • Post-exploitation involves installing malicious JAR plugins via the Openfire admin console that execute commands received via GET and POST HTTP requests — monitor for unexpected JAR plugin uploads to Openfire.
  • Files encrypted by the ransomware leveraging CVE-2023-32315 receive the .locked1 extension — hunt for mass file extension changes to .locked1 on Openfire server paths such as /opt/openfire.
  • Earth Krahang APT exploits CVE-2023-32315 for initial access to government servers, then deploys webshells — monitor for webshell artifacts and anomalous Openfire admin console access from external IPs.
  • ·CVE-2023-32315 affects all Openfire versions from 3.10.0 (April 2015) through 4.6.7 and 4.7.0–4.7.4; patched versions are 4.6.8, 4.7.5, and 4.8.0 — over 3,000 servers were still unpatched as of mid-August 2023.
  • ·The vulnerability is exploitable via the unauthenticated Openfire Setup Environment path even on already-configured instances, meaning network-level blocking of the admin console alone may be insufficient if the setup path is accessible.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck8.6HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.