• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
thousands of unpatched openfire xmpp servers still exposed to high severity

Thousands of Unpatched Openfire XMPP Servers Still Exposed to High-Severity Flaw

You are here: Home / General Cyber Security News / Thousands of Unpatched Openfire XMPP Servers Still Exposed to High-Severity Flaw
August 24, 2023

1000’s of Openfire XMPP servers are unpatched towards a not long ago disclosed large-severity flaw and are inclined to a new exploit, according to a new report from VulnCheck.

Tracked as CVE-2023-32315 (CVSS score: 7.5), the vulnerability relates to a path traversal vulnerability in Openfire’s administrative console that could allow an unauthenticated attacker to entry otherwise restricted internet pages reserved for privileged end users.

It influences all versions of the software unveiled given that April 2015, beginning with edition 3.10.. It was remediated by its developer, Ignite Realtime, earlier this May well with the launch of versions 4.6.8, 4.7.5, and 4.8..

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


“Route traversal protections had been currently in put to protect towards specifically this kind of attack, but did not protect towards selected non-common URL encoding for UTF-16 characters that ended up not supported by the embedded web server that was in use at the time,” the maintainers reported in a in-depth advisory.

Cybersecurity

“A afterwards enhance of the embedded web server integrated aid for non-conventional URL encoding of UTF-16 figures. The route traversal protections in place in Openfire were not current to consist of security against this new encoding.”

As a result, a menace actor could abuse this weak spot to bypass authentication requirements for admin console internet pages. The vulnerability has considering the fact that arrive less than energetic exploitation in the wild, like by attackers linked with the Kinsing (aka Dollars Libra) crypto botnet malware.

A Shodan scan carried out by the cybersecurity agency reveals that of a lot more than 6,300 Openfire servers obtainable more than the internet, roughly 50% of them are working affected variations of the open up-resource XMPP option.

Openfire XMPP Servers

Even though public exploits have leveraged the vulnerability to make an administrative consumer, log in, and then add a plugin to realize code execution, VulnCheck claimed it is really probable to do so devoid of obtaining to develop an admin account, building it far more stealthy and captivating for risk actors.

Elaborating on the modus operandi of the existing exploits, security researcher Jacob Baines stated they entail “developing an admin user to acquire entry to the Openfire Plugins interface.”

“The plugin technique lets administrators to insert, additional or less, arbitrary performance to Openfire by means of uploaded Java JARs. This is, really clearly, a put to transition from authentication bypass to distant code execution.”

Cybersecurity

The improved, less noisy system devised by VulnCheck, on the other hand, employs a consumer-a lot less strategy that extracts the JSESSIONID and CSRF token by accessing a webpage referred to as ‘plugin-admin.jsp’ and then uploading the JAR plugin by using a Post ask for.

“Without having authentication, the plugin is recognized and put in,” Baines explained. “The web shell can then be accessed, with no authentication, utilizing the traversal.”

“This approach retains login attempts out of the security audit log and helps prevent the ‘uploaded plugin’ notification from being recorded. That is a quite large offer since it leaves no evidence in the security audit log.”

The only notify-tale indications that anything malicious is afoot are the logs captured in the openfire.log file, which an adversary could delete by working with CVE-2023-32315, the enterprise claimed.

With the vulnerability by now being exploited in authentic-planet attacks, it is really suggested that consumers move immediately to update to the most recent variations to secure against potential threats.

Discovered this report intriguing? Stick to us on Twitter  and LinkedIn to browse much more exceptional content we article.


Some areas of this post are sourced from:
thehackernews.com

Previous Post: «tornado cash founders charged in billion dollar crypto laundering scandal Tornado Cash Founders Charged in Billion-Dollar Crypto Laundering Scandal
Next Post: WinRAR Security Flaw Exploited in Zero-Day Attacks to Target Traders winrar security flaw exploited in zero day attacks to target traders»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. – Dutch Operation
  • OtterCookie v4 Adds VM Detection and Chrome, MetaMask Credential Theft Capabilities
  • Initial Access Brokers Target Brazil Execs via NF-e Spam and Legit RMM Trials
  • Deploying AI Agents? Learn to Secure Them Before Hackers Strike Your Business
  • Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials
  • Beyond Vulnerability Management – Can You CVE What I CVE?
  • Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android
  • Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell
  • 38,000+ FreeDrain Subdomains Found Exploiting SEO to Steal Crypto Wallet Seed Phrases
  • SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root

Copyright © TheCyberSecurity.News, All Rights Reserved.