CVE-2023-32315
published 2023-05-26CVE-2023-32315: Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be…
PriorityP192high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-09-14
Exploited in the wild
EPSS
100.00%
100.0th percentile
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | — | — |
| igniterealtime | openfire | >= 3.10.0 < 4.6.8 | 4.6.8 |
| igniterealtime | openfire | >= 4.7.0 < 4.7.5 | 4.7.5 |
Detection & IOCsextracted from sources · hover to see the quote
other4ASk4RhUyLL7sxE9cPyBiXb82ofekJg2SKiv4MKtCbzwHHLQxVVfVr4D4xhQHyyMTieSM5VUFGR9jZVR5gp6sa1Q2p8SahC↗
- →Attackers exploit CVE-2023-32315 to create a new admin user named 'OpenfireSupport' — monitor Openfire admin console for unexpected new admin account creation. ↗
- →Post-exploitation involves installing malicious JAR plugins via the Openfire admin console that execute commands received via GET and POST HTTP requests — monitor for unexpected JAR plugin uploads to Openfire. ↗
- →Files encrypted by the ransomware leveraging CVE-2023-32315 receive the .locked1 extension — hunt for mass file extension changes to .locked1 on Openfire server paths such as /opt/openfire. ↗
- →Earth Krahang APT exploits CVE-2023-32315 for initial access to government servers, then deploys webshells — monitor for webshell artifacts and anomalous Openfire admin console access from external IPs. ↗
- ·CVE-2023-32315 affects all Openfire versions from 3.10.0 (April 2015) through 4.6.7 and 4.7.0–4.7.4; patched versions are 4.6.8, 4.7.5, and 4.8.0 — over 3,000 servers were still unpatched as of mid-August 2023. ↗
- ·The vulnerability is exploitable via the unauthenticated Openfire Setup Environment path even on already-configured instances, meaning network-level blocking of the admin console alone may be insufficient if the setup path is accessible. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck8.6HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Administration Console authentication bypass in openfire xmppserver
osv·2023-05-23
CVE-2023-32315 [HIGH] Administration Console authentication bypass in openfire xmppserver
Administration Console authentication bypass in openfire xmppserver
An important security issue affects a range of versions of Openfire, the cross-platform real-time collaboration server based on the XMPP protocol that is created by the Ignite Realtime community.
### Impact
Openfire's administrative console (the Admin Console), a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users.
### Cause
Path traversal protections were already in place to protect against exactly this kind of attack, but didn’t defend again
GHSA
Administration Console authentication bypass in openfire xmppserver
ghsa·2023-05-23
CVE-2023-32315 [HIGH] CWE-22 Administration Console authentication bypass in openfire xmppserver
Administration Console authentication bypass in openfire xmppserver
An important security issue affects a range of versions of Openfire, the cross-platform real-time collaboration server based on the XMPP protocol that is created by the Ignite Realtime community.
### Impact
Openfire's administrative console (the Admin Console), a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users.
### Cause
Path traversal protections were already in place to protect against exactly this kind of attack, but didn’t defend again
VulnCheck
Ignite Realtime Openfire Path Traversal Vulnerability
vulncheck·2023·CVSS 8.6
CVE-2023-32315 [HIGH] CWE-22 Ignite Realtime Openfire Path Traversal Vulnerability
Ignite Realtime Openfire Path Traversal Vulnerability
Ignite Realtime Openfire contains a path traversal vulnerability that allows an unauthenticated attacker to access restricted pages in the Openfire Admin Console reserved for administrative users.
Affected: Ignite Realtime Openfire
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://discourse.igniterealtime.org/uploads/default/original/2X/0/0dbc4f0dafc32fdc198453d385f85af329b1f703.png; https://www.surevine.com/openfire-cve-2023-32315-what-we-know/; https://discourse.igniterealtime.org/t/cve-2023-32315-openfire-administration-console-authentication-bypass/92869/15; https://vulncheck.com/blog/
CISA
Ignite Realtime Openfire Path Traversal Vulnerability
cisa·2023-08-24·CVSS 7.5
CVE-2023-32315 [HIGH] CWE-22 Ignite Realtime Openfire Path Traversal Vulnerability
Vulnerability: Ignite Realtime Openfire Path Traversal Vulnerability
Affected: Ignite Realtime Openfire
Ignite Realtime Openfire contains a path traversal vulnerability that allows an unauthenticated attacker to access restricted pages in the Openfire Admin Console reserved for administrative users.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.igniterealtime.org/downloads/#openfire; https://nvd.nist.gov/vuln/detail/CVE-2023-32315
Remediation Due Date: 2023-09-14
Suricata
ET WEB_SPECIFIC_APPS Openfire Authentication Bypass With RCE (CVE-2023-32315)
suricata·2023-08-31·CVSS 8.6
CVE-2023-32315 [HIGH] ET WEB_SPECIFIC_APPS Openfire Authentication Bypass With RCE (CVE-2023-32315)
ET WEB_SPECIFIC_APPS Openfire Authentication Bypass With RCE (CVE-2023-32315)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Openfire Authentication Bypass With RCE (CVE-2023-32315)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp"; content:"csrf="; content:"username="; content:"password="; content:"passwordConfirm="; content:"isadmin=on"; fast_pattern; reference:url,blog.aquasec.com/kinsing-malware-exploits-novel-openfire-vulnerability; reference:url,github.com/miko550/CVE-2023-32315/blob/main/CVE-2023-32315.py; reference:cve,2023-32315; reference:url,nvd.nist.gov/vuln/detail/CVE-2023-32315; reference:url,packetstormsecurity.com/files/173607/Openfire-Authenticati
Metasploit
Openfire authentication bypass with RCE plugin
metasploit
Openfire authentication bypass with RCE plugin
Openfire authentication bypass with RCE plugin
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This module will use the vulnerability to create a new admin user that will be used to upload a Openfire management plugin weaponised with java native payload that triggers an RCE. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. T
Nuclei
Openfire Administration Console - Authentication Bypass
nuclei·CVSS 7.5
CVE-2023-32315 [HIGH] Openfire Administration Console - Authentication Bypass
Openfire Administration Console - Authentication Bypass
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0.
Template:
id: CVE-2023-32315
info:
name: Openfire Administration Console - Authentication Bypass
author: vsh00t
severity: high
description: |
Openfire is an XMPP server l
Hackernews
New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
blogs_hackernews·2026-06-26·CVSS 9.8
CVE-2021-26855 [CRITICAL] New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
A newly discovered cyber attack campaign has been observed delivering a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts.
Kaspersky, which is tracking the activity under the moniker StrikeShark , said the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and entities associated with other sectors located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Ne
Securelist
StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader
blogs_securelist·2026-06-24
CVE-2021-26855 StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader
Fareed Radzi
Table of Contents
Introduction
Initial infection
Exploitation of public-facing applications
Dropper-based distribution
SharkLoader installation
SharkLoader DLL – Main implant
“PerfectDLL Hijacking” technique
Decryption and loading of >DscCoreR.mui
DscCoreR.mui and SyncRes.dat DLLs
Decryption and loading of SyncRes.dat
SyncRes.dat decrypted DLL: Multiple API hooks
VEH registration and access violation handling
Thread creation for Cobalt Strike Beacon execution
MinHook DLL, API hooking, and Cobalt Strike beacon
Persistence mechanism
Post-compromise activity
Victimology
Attribution
Conclusion
Indicators of compromise
Authors
Fareed Radzi
## Introduction
During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previo
Fortinet
Old Miner, New Tricks | FortiGuard Labs
blogs_fortinet·2025-07-16
Old Miner, New Tricks | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Old Miner, New Tricks
H2miner Resurfaces with Lcrypt0rx Ransomware
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Adversary Infrastructure & Tool Details
The Curious Case of Lcryx Ransomware
H2Miner Sample Analysis
Script Name: ce.sh
Script Name: spr.sh
Script Name: cpr.sh
Script Name: 1.ps1
Lcrypt0rx Sample Analysis
Script Name: Lcrypt0rx.vbs
Conclusion
Fortinet Protections
IOCs
By Akshat Pradhan | July 16, 2025
Affected Platforms: Linux, Windows, Containers
Impacted Users: Any Organization
Impact: Data Encrypted for Impact, Compute Hijacking, Defacement, Sensitive data stolen.
Severity Level: Critical
The FortiCNAPP team, part of FortiGuard Labs, recently investigated a cluster of virtual private servers (VPS) used for Monero mining. The i
Bleepingcomputer
BadPilot network hacking campaign fuels Russian SandWorm attacks
blogs_bleepingcomputer·2025-02-12
BadPilot network hacking campaign fuels Russian SandWorm attacks
## BadPilot network hacking campaign fuels Russian SandWorm attacks
## Bill Toulas
A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'
The threat actor has been active since at least 2021 and is also responsible for breaching networks of organizations in energy, oil and gas, telecommunications, shipping, and arms manufacturing sectors.
Microsoft's Threat Intelligence team says that the actor is dedicated to achieving initial access to target systems, establishing persistence, and maintaining presence to allow other APT44 subgroups with post-compromise expertise to take over.
"We have also observed the initial access subgroup
Trendmicro
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
blogs_trendmicro·2024-03-18·CVSS 9.8
[CRITICAL] Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
APT & Targeted Attacks
## Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
Since early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa.
By: Joseph C Chen, Daniel Lunghi 2024/03/18 Read time: ( words)
Save to Folio
One of the infection vectors used involves the scanning of public-facing servers. Earth Krahang heavily employs open-source scanning tools that perform recursive searches of folders such as .git or .idea . The threat actor also resorts to simply brute-forcing directories to help identify files that may contain sensitive information such as file paths or passwords on the victim’s servers. They also tend t
Trendmicro
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
blogs_trendmicro·2024-03-18
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
APT & Targeted Attacks
# Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
Since early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa.
By: Joseph C Chen, Daniel Lunghi
2024/03/18
Read time: ( words)
Save to Folio
## Introduction
Since early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa. The threat actor exploits public-facing servers and sends spear phishing emails to deliver previously unseen backdoors.
Our research allowed us to identify the campaign’s multiple connect
Trendmicro
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
blogs_trendmicro·2024-03-18·CVSS 9.8
[CRITICAL] Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
APT & Targeted Attacks
## Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
Since early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa.
By: Joseph C Chen, Daniel Lunghi Mar 18, 2024 Read time: ( words)
Save to Folio
One of the infection vectors used involves the scanning of public-facing servers. Earth Krahang heavily employs open-source scanning tools that perform recursive searches of folders such as .git or .idea . The threat actor also resorts to simply brute-forcing directories to help identify files that may contain sensitive information such as file paths or passwords on the victim’s servers. They also tend
Bleepingcomputer
Chinese Earth Krahang hackers breach 70 orgs in 23 countries
blogs_bleepingcomputer·2024-03-18·CVSS 9.8
[CRITICAL] Chinese Earth Krahang hackers breach 70 orgs in 23 countries
## Chinese Earth Krahang hackers breach 70 orgs in 23 countries
## Bill Toulas
A sophisticated hacking campaign attributed to a Chinese Advanced Persistent Threat (APT) group known as 'Earth Krahang' has breached 70 organizations and targeted at least 116 across 45 countries.
According to Trend Micro researchers monitoring the activity, the campaign has been underway since early 2022 and focuses primarily on government organizations.
Specifically, the hackers have compromised 48 government organizations, 10 of which are Foreign Affairs ministries, and targeted another 49 government agencies.
The attackers exploit vulnerable internet-facing servers and use spear-phishing emails to deploy custom backdoors for cyberespionage.
Earth Krahang abuses its presence on breached government infr
Trendmicro
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
blogs_trendmicro·2024-03-18·CVSS 9.8
[CRITICAL] Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
APT & Targeted Attacks
## Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
Since early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa.
By: Joseph C Chen, Daniel Lunghi Mar 18, 2024 Read time: ( words)
Save to Folio
One of the infection vectors used involves the scanning of public-facing servers. Earth Krahang heavily employs open-source scanning tools that perform recursive searches of folders such as .git or .idea . The threat actor also resorts to simply brute-forcing directories to help identify files that may contain sensitive information such as file paths or passwords on the victim’s servers. They also tend
Trendmicro
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
blogs_trendmicro·2024-03-18·CVSS 9.8
[CRITICAL] Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
APT y ataques dirigidos
## Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
Since early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa.
By: Joseph C Chen, Daniel Lunghi Mar 18, 2024 Read time: ( words)
Save to Folio
One of the infection vectors used involves the scanning of public-facing servers. Earth Krahang heavily employs open-source scanning tools that perform recursive searches of folders such as .git or .idea . The threat actor also resorts to simply brute-forcing directories to help identify files that may contain sensitive information such as file paths or passwords on the victim’s servers. They also ten
Trendmicro
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
blogs_trendmicro·2024-03-18·CVSS 9.8
[CRITICAL] Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
APT und gezielte Angriffe
## Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
Since early 2022, we have been monitoring an APT campaign that targets several government entities worldwide, with a strong focus in Southeast Asia, but also seen targeting Europe, America, and Africa.
By: Joseph C Chen, Daniel Lunghi Mar 18, 2024 Read time: ( words)
Save to Folio
One of the infection vectors used involves the scanning of public-facing servers. Earth Krahang heavily employs open-source scanning tools that perform recursive searches of folders such as .git or .idea . The threat actor also resorts to simply brute-forcing directories to help identify files that may contain sensitive information such as file paths or passwords on the victim’s servers. They also t
Securelist
PC malware statistics, Q3 2023
blogs_securelist·2023-12-01
PC malware statistics, Q3 2023
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used in cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks on IoT honeypots
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q3 2023
- IT threat evolution in Q3 2023. Non-mobile statistics
- IT threat evolution in Q3 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2023:
- Kaspersky solutions blocked 694,400,301 attacks from online resources across the globe.
- A total of 169,194,807 unique links were recognized as malicious by Web Anti-Virus
Securelist
IT threat evolution in Q3 2023. Non-mobile statistics
blogs_securelist·2023-12-01
IT threat evolution in Q3 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
Vulnerability exploitation
More attacks on healthcare
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used in cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks on IoT honeypots
Attacks via web resources
Countries and territories that serve as sourc
Bleepingcomputer
Hackers actively exploiting Openfire flaw to encrypt servers
blogs_bleepingcomputer·2023-09-26·CVSS 8.6
CVE-2023-32315 [HIGH] Hackers actively exploiting Openfire flaw to encrypt servers
## Hackers actively exploiting Openfire flaw to encrypt servers
## Bill Toulas
Hackers are actively exploiting a high-severity vulnerability in Openfire messaging servers to encrypt servers with ransomware and deploy cryptominers.
Openfire is a widely used Java-based open-source chat (XMPP) server downloaded 9 million times and used extensively for secure, multi-platform chat communications.
The flaw, tracked as CVE-2023-32315 , is an authentication bypass impacting Openfire's administration console, allowing unauthenticated attackers to create new admin accounts on vulnerable servers.
Using those accounts, the attackers install malicious Java plugins (JAR files) that execute commands received via GET and POST HTTP requests.
This dangerous flaw impacts all Openfire versions from 3.10
Greynoiseio
Data Science-Fueled Tagging From GreyNoise Last Week
blogs_greynoiseio
Data Science-Fueled Tagging From GreyNoise Last Week
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Wiz
CVE-2020-36956 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2020-36956 [MEDIUM] CVE-2020-36956 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2020-36956 :
Openfire vulnerability analysis and mitigation
Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload with script tags to execute arbitrary JavaScript in the context of administrative users viewing the nodejs configuration page.
Source : NVD
## 5.1
Score
Published January 26, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
Openfire
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:igniterealtime:openfire
Sources
NVD
Linux Severity
CTF
HTB - Machines / SolarLab
ctf_writeups
HTB - Machines / SolarLab
# SolarLab
## Introduction
I have found inspiration in my real-world engagements however I decided to make some steps more difficult otherwise they would've been considered unrealistic/boring for a HTB machine. Players will encounter an internal employee portal for which they will find credentials on an open SMB share. This portal allows employees to generate PDFs which turns out are created with the python library ReportLab which has a version vulnerable to RCE via code injection. After getting a foothold, they will exploit an Authentication Bypass in Openfire to create an admin account and upload a .jar plugin to get RCE as user openfire and decrypt the original administrator password from the embedded database. This is a box relying on strong enumeration, attention to detail and minor
CTF
README
ctf_writeups
README
# CTF Writeups
Welcome to my CTF Writeups repository! Here, I document the solutions and methodologies used to solve various Capture The Flag (CTF) challenges. This repository is intended to serve as a learning resource for others interested in cybersecurity and CTF competitions.
Capture The Flag (CTF) competitions are a popular way to practice and improve cybersecurity skills. These competitions present various challenges that require problem-solving, creativity, and technical knowledge.
## Writeups
The writeups in this repository (located in the "writeups" folder) are categorised based on the nature of the challenge. Each writeup provides step-by-step solutions, along with explanations of the tools and techniques used. The difficulty rating associated with each challenge matches the dif
http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.htmlhttps://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvmhttp://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.htmlhttps://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvmhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-32315
2023-05-26
Published
2023-08-24
Added to CISA KEV
Exploited in the wild