August 23, 2023 By Bill Toulas
Thousands of Openfire servers remain vulnerable to CVE-2023-32315, an actively exploited and path traversal vulnerability that allows an unauthenticated user to create new admin accounts.
Openfire is a widely used Java-based open-source chat (XMPP) server downloaded 9 million times.
On May 23, 2023, it was disclosed that the software was impacted by an authentication bypass issue that affected version 3.10.0, released in April 2015, until that point.
Openfire developers released security updates in versions 4.6.8, 4.7.5, and 4.8.0 to address the issue. Still, in June, it was reported [1, 2] that the flaw was actively exploited to create admin users and upload malicious plugins on unpatched servers.
As highlighted in a report by VulnCheck vulnerability researcher Jacob Baines, the OpenFire community has not rushed to apply the security updates, with over 3,000 servers remaning vulnerable.
To make matters worse, Baines says there's a way to exploit the flaw and upload plugins without creating an admin account, making it far more inviting and less noisy for cybercriminals.