Openfire Admin Console Auth Bypass (CVE-2023-32315) — From Path Traversal to RCE

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

Openfire (formerly Wildfire) is an open-source real-time collaboration server based on XMPP (Extensible Messaging and Presence Protocol). It provides a web-based admin console for configuration and management.

Recently, a serious vulnerability was disclosed in Openfire’s admin console. The bug allows attackers to bypass authentication checks via path traversal, ultimately leading to remote code execution (RCE) if exploited. Although a patch has been released, many servers on the internet are still exposed and vulnerable.

1. Vulnerability Overview

The Openfire Admin Console is a web application used to configure the server. Researchers discovered that an attacker could use a crafted path traversal request to bypass access control checks.

Once successful, an unauthenticated attacker could directly access backend admin pages. Since the console allows plugin installation, the attacker could upload a malicious plugin and achieve RCE on the target server.

Affected Versions:

• 3.10.0 <= Openfire < 4.6.8
• Openfire 4.7.5

2. Detection Tools

X-POC Remote Scanner

A lightweight tool to remotely scan networks for vulnerable Openfire instances.

xpoc -r 103 -t 10.0.0.1/24 -p 80,443,8080,8000

Download:

• GitHub: X-POC
• Stack Security: Tool 1036

CloudWalker Local Scanner

A local harmless scanner for administrators to check their own servers.

./openfire_console_auth_bypass_scanner_linux_amd64 scan --output result.json

Download:

• CloudWalker Local Scanner

3. Mitigation & Fix

Temporary Workaround:

• Restrict access to the Openfire admin console with network ACLs.
• Avoid exposing the admin console directly to the internet unless absolutely necessary.

Permanent Fix:

• Upgrade Openfire to one of the patched versions:

  • 4.7.4
  • 4.6.8

4. Product Support

• SafeLine WAF: Detects exploitation attempts by default.
• Dongjian: Supports custom PoC-based detection.
• CloudWalker: Detection supported via updated emergency vuln package (EMERVULN-23.06.006).
• Yuntu: Identifies Openfire fingerprints and detects PoC activity.
• Quanxi: Released detection rules for this vulnerability.

5. Timeline

• May 26 — Vulnerability publicly disclosed.
• June 8 — Detailed exploitation method published.
• June 13 — Chaitin Security released an emergency advisory.

References

• Openfire Official Website
• GitHub Security Advisory
• Medium: Path Traversal to RCE

Join the SafeLine Community

If you continue to experience issues, feel free to contact SafeLine support for further assistance.

• GitHub Repository
• Official Docs
• Discord Community