Back to KEVs

CVE-2023-32315

Openfire administration console authentication bypass

Basic Information

CVE State
PUBLISHED
Reserved Date
May 08, 2023
Published Date
May 26, 2023
Last Updated
February 13, 2025
Vendor
igniterealtime
Product
Openfire
Description
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.

CVSS Scores

CVSS v3.1

8.6 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2023-08-24 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2025-01-30 17:47:29 UTC) Source

References

https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html

Known Exploited Vulnerability Information

Source Added Date
CISA 2023-08-24 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb 2025-04-29 11:01:22 UTC
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-32315.yaml 2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

openfire_auth_bypass_rce_cve_2023_32315

Type: metasploit • Created: Unknown

Metasploit module for CVE-2023-32315

asepsaepdin/CVE-2023-32315

Type: github • Created: 2025-01-30 17:47:29 UTC • Stars: 0

K3ysTr0K3R/CVE-2023-32315-EXPLOIT

Type: github • Created: 2023-12-15 16:30:51 UTC • Stars: 8

A PoC exploit for CVE-2023-32315 - Openfire Authentication Bypass

gibran-abdillah/CVE-2023-32315

Type: github • Created: 2023-08-31 08:43:44 UTC • Stars: 3

Tool for CVE-2023-32315 exploitation

izzz0/CVE-2023-32315-POC

Type: github • Created: 2023-07-07 07:48:24 UTC • Stars: 5

CVE-2023-32315-Openfire-Bypass

ThatNotEasy/CVE-2023-32315

Type: github • Created: 2023-07-02 20:38:14 UTC • Stars: 6

Perform With Massive Openfire Unauthenticated Users

miko550/CVE-2023-32315

Type: github • Created: 2023-06-18 15:42:00 UTC • Stars: 51

Openfire Console Authentication Bypass Vulnerability with RCE plugin

5rGJ5aCh5oCq5YW9/CVE-2023-32315exp

Type: github • Created: 2023-06-15 01:11:56 UTC • Stars: 2

tangxiaofeng7/CVE-2023-32315-Openfire-Bypass

Type: github • Created: 2023-06-14 09:43:31 UTC • Stars: 134

rce