Security News > 2023 > August > Over 3,000 Openfire servers vulnerable to takover attacks
Thousands of Openfire servers remain vulnerable to CVE-2023-32315, an actively exploited and path traversal vulnerability that allows an unauthenticated user to create new admin accounts.
Still, in June, it was reported [1, 2] that the flaw was actively exploited to create admin users and upload malicious plugins on unpatched servers.
As highlighted in a report by VulnCheck vulnerability researcher Jacob Baines, the OpenFire community has not rushed to apply the security updates, with over 3,000 servers remaning vulnerable.
A better PoC. Current public exploits for CVE-2023-32315 rely on creating an admin user to allow the attackers to upload malicious Java JAR plugins that open reverse shells or execute commands on the compromised servers.
Real-world exploitation examples include the threat actors behind the Kinsing crypto-miner botnet, who exploit the vulnerability to install a custom-crafted Openfire plugin that initiates a reverse shell on the vulnerable server.
Admins of Openfire servers who have not upgraded to a patched release are urged to do so as soon as possible.
News URL
Related news
- New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks (source)
- Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks (source)
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-26 | CVE-2023-32315 | Path Traversal vulnerability in Igniterealtime Openfire Openfire is an XMPP server licensed under the Open Source Apache License. | 7.5 |