CVE-2023-32315: Openfire Authentication Bypass Leading to RCE
A path traversal authentication bypass in the Openfire XMPP server admin console that allowed unauthenticated attackers to upload malicious plugins and execute arbitrary code — with over 3,000 servers compromised before most administrators were aware
CVE-2023-32315 is a path traversal authentication bypass vulnerability in the Openfire XMPP messaging server admin console, affecting versions 3.10.0 through 4.7.4 and patched in May 2023. By crafting a URL path that includes a traversal sequence targeting the setup wizard, an unauthenticated attacker can access the fully functional Openfire admin console and upload a malicious plugin — a standard Openfire extension mechanism — to execute arbitrary Java code on the server. VulnCheck reported over 3,000 Openfire servers compromised in active exploitation campaigns, with cryptomining and backdoor installation as primary observed payloads.
Root Cause: Setup Wizard URL Bypass
Openfire's admin console authentication filter blocks unauthenticated access to admin pages. However, the filter does not apply to the setup wizard URL paths — these are intended to be accessible before initial configuration is complete.
CVE-2023-32315 exploits this by accessing admin console pages via a URL that includes a traversal through the setup wizard path:
`/setup/setup-s/%u002e%u002e/%u002e%u002e/plugins/install-plugin-url.jsp`
The `%u002e` encoding of the period character (`.`) causes the path traversal to bypass the authentication filter's pattern matching, while the server-side URL processing resolves the actual target path to the plugin installation page. The attacker arrives at a fully functional admin console page without any authentication.
From Authentication Bypass to Remote Code Execution
Openfire's plugin system is the bridge from authentication bypass to code execution:
1. Openfire supports plugins as standard Java JAR files containing servlets 2. The admin console's plugin installation page allows uploading plugin JARs from a file or URL 3. Openfire automatically loads and executes newly installed plugins 4. A malicious plugin can contain any Java code — attacker executes OS commands, drops files, or establishes network connections
Public PoC exploit code, published within days of disclosure, included a pre-built malicious plugin JAR that instantiates a Java webshell callable via HTTP requests to the Openfire server.
Identify Internet-Facing Openfire Admin Console
Openfire admin console runs on port 9090 (HTTP) or 9091 (HTTPS) by default. Many deployments expose this port directly to the internet. Attackers identify targets via Shodan or direct scanning.
Authentication Bypass via Setup Wizard Path Traversal
Send HTTP request to the traversal URL targeting the plugin installation page. The authentication filter is bypassed; attacker accesses the admin plugin upload functionality.
Malicious Plugin Upload
Upload a crafted Openfire plugin JAR containing a Java webshell servlet. The upload can be performed via file upload or by pointing the Openfire server to a URL hosting the malicious JAR.
Openfire Loads Plugin — Java Code Executes
Openfire's plugin system automatically loads the newly installed plugin, executing the malicious Java servlet with the privileges of the Openfire Java process.
Post-Exploitation: Cryptomining, Backdoor, or Lateral Movement
Observed campaigns deployed XMRig cryptominers, persistent Java backdoors, and credential harvesters. Internal network access via Openfire's connected AD integration enabled lateral movement in some cases.
Scale of Exploitation
CVE-2023-32315 saw unusually rapid and broad exploitation:
- Public PoC code was available within days of the May 2023 disclosure - VulnCheck scans identified over 3,000 compromised Openfire instances by July 2023 — servers with attacker-installed plugins visible via Shodan - Multiple independent threat actor clusters exploited the vulnerability simultaneously - Cryptomining was the most common observed payload, but espionage-focused actors also used the access for credential harvesting and internal network reconnaissance
The CVSS score of 7.5 somewhat understates the real-world risk — it reflects the requirement that the admin console be network-accessible, but does not fully capture the trivial exploit complexity (single HTTP request) and the immediate RCE outcome.
Detection
Indicators of CVE-2023-32315 exploitation:
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| HTTP requests to /setup/setup-s/ paths containing encoded period characters (%u002e, %2e) in the URL targeting admin console pages | Web server access log — Openfire admin console (port 9090/9091) | The path traversal bypass has a distinctive URL structure; monitor admin console access logs for requests containing setup-s/ with traversal sequences |
| New plugin JAR files in the Openfire plugins directory not matching the standard Openfire plugin manifest | Filesystem — Openfire installation directory | Compare /opt/openfire/plugins/ (or equivalent) against known-good plugin list; attacker-installed plugins appear as unexpected JARs with unrecognized names |
| Openfire Java process spawning unexpected child processes (sh, bash, cmd.exe, curl, wget) | Process telemetry (EDR) | The Openfire JVM should not spawn interactive shell processes; any such parent-child relationship indicates plugin-based code execution |
| HTTP requests to unexpected servlet paths on the Openfire server coinciding with plugin installation events | Web server access log | Attacker-installed webshell plugins register new HTTP paths; new URL paths appearing in access logs after a plugin upload event indicate malicious plugin deployment |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Remediation
Steps in order of priority:
Upgrade to Openfire 4.7.5 or 4.6.8 (the patched releases)
The fix adds proper authentication enforcement for all admin console paths including setup wizard routes. Versions 4.7.5 (main branch) and 4.6.8 (legacy LTS branch) contain the patch. Verify your version in the admin console under Server → Server Information.
Immediately restrict admin console port access
Openfire's admin console (ports 9090/9091) should not be internet-accessible under any circumstances. Apply firewall rules immediately restricting access to the admin console to trusted management IP ranges only. This eliminates the attack surface even on unpatched versions.
Audit installed plugins for unauthorized entries
List all installed plugins in the admin console (Plugins → Installed) and compare against your expected plugin list. Remove any plugin you did not install or do not recognize. Examine the plugin files in the filesystem for suspicious content.
Check for and remove attacker-installed webshells
Search the Openfire plugin directory for recently created JAR files. Examine JAR contents using jar -tf for unexpected class files or servlets. Remove any suspicious plugins via the admin console and delete the JAR files from the filesystem.
Rotate Openfire service account credentials and audit XMPP user accounts
If compromise is suspected, rotate the credentials for the Openfire service account and any AD integration account. Audit XMPP user accounts for unauthorized additions or privilege changes — attackers may create persistent XMPP admin accounts.
The bottom line
CVE-2023-32315 is a reminder that messaging infrastructure is enterprise security-critical infrastructure. An Openfire server with an internet-accessible admin console and a trivially bypassed authentication check became a mass-exploitation target within days of disclosure — and over 3,000 servers were compromised before most administrators had applied the patch. The lesson is operational: any admin interface should be network-restricted by default, regardless of what authentication the application itself provides. Firewalls protecting admin ports are a defense-in-depth measure that can contain entire vulnerability classes before a patch is ever applied.
Frequently asked questions
What is CVE-2023-32315?
CVE-2023-32315 is a path traversal vulnerability in the Openfire XMPP server admin console that allows unauthenticated attackers to bypass the admin authentication filter by accessing setup wizard URLs. This gives access to admin console functionality including plugin upload, which attackers exploit to install malicious plugins containing arbitrary Java code.
What is Openfire and why is it a target?
Openfire is an open-source XMPP (Jabber) messaging server widely used in enterprise environments for internal instant messaging. It is often deployed on-premises and integrated with Active Directory for authentication. Compromising an Openfire server can expose internal communications, user credentials, and provide a foothold inside the corporate network.
How do attackers achieve RCE from an authentication bypass?
Once the authentication bypass gives unauthenticated access to the Openfire admin console, attackers upload a malicious Openfire plugin — a standard JAR file containing a Java servlet. Openfire loads and executes plugins automatically, running the malicious servlet code with the privileges of the Openfire Java process. This is effectively arbitrary Java code execution on the server.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.