CVE REFERENCE | HIGH SEVERITY
Active ThreatUpdated 9 min read

CVE-2023-32315: Openfire Authentication Bypass Leading to RCE

A path traversal authentication bypass in the Openfire XMPP server admin console that allowed unauthenticated attackers to upload malicious plugins and execute arbitrary code, with over 3,000 servers compromised before most administrators were aware

7.5
CVSS Score
3,000+
Servers compromised in wild
Pre-auth
Authentication required
Plugin upload
RCE mechanism

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2023-32315 is a path traversal authentication bypass vulnerability in the Openfire XMPP messaging server admin console, affecting versions 3.10.0 through 4.7.4 and patched in May 2023. By crafting a URL path that includes a traversal sequence targeting the setup wizard, an unauthenticated attacker can access the fully functional Openfire admin console and upload a malicious plugin, a standard Openfire extension mechanism, to execute arbitrary Java code on the server. VulnCheck reported over 3,000 Openfire servers compromised in active exploitation campaigns, with cryptomining and backdoor installation as primary observed payloads.

Root Cause: Setup Wizard URL Bypass

Openfire's admin console authentication filter blocks unauthenticated access to admin pages. However, the filter does not apply to the setup wizard URL paths, these are intended to be accessible before initial configuration is complete.

CVE-2023-32315 exploits this by accessing admin console pages via a URL that includes a traversal through the setup wizard path:

/setup/setup-s/%u002e%u002e/%u002e%u002e/plugins/install-plugin-url.jsp

The %u002e encoding of the period character (.) causes the path traversal to bypass the authentication filter's pattern matching, while the server-side URL processing resolves the actual target path to the plugin installation page. The attacker arrives at a fully functional admin console page without any authentication.

From Authentication Bypass to Remote Code Execution

Openfire's plugin system is the bridge from authentication bypass to code execution:

  1. Openfire supports plugins as standard Java JAR files containing servlets
  2. The admin console's plugin installation page allows uploading plugin JARs from a file or URL
  3. Openfire automatically loads and executes newly installed plugins
  4. A malicious plugin can contain any Java code, attacker executes OS commands, drops files, or establishes network connections

Public PoC exploit code, published within days of disclosure, included a pre-built malicious plugin JAR that instantiates a Java webshell callable via HTTP requests to the Openfire server.

1

Identify Internet-Facing Openfire Admin Console

Openfire admin console runs on port 9090 (HTTP) or 9091 (HTTPS) by default. Many deployments expose this port directly to the internet. Attackers identify targets via Shodan or direct scanning.

2

Authentication Bypass via Setup Wizard Path Traversal

Send HTTP request to the traversal URL targeting the plugin installation page. The authentication filter is bypassed; attacker accesses the admin plugin upload functionality.

3

Malicious Plugin Upload

Upload a crafted Openfire plugin JAR containing a Java webshell servlet. The upload can be performed via file upload or by pointing the Openfire server to a URL hosting the malicious JAR.

4

Openfire Loads Plugin, Java Code Executes

Openfire's plugin system automatically loads the newly installed plugin, executing the malicious Java servlet with the privileges of the Openfire Java process.

5

Post-Exploitation: Cryptomining, Backdoor, or Lateral Movement

Observed campaigns deployed XMRig cryptominers, persistent Java backdoors, and credential harvesters. Internal network access via Openfire's connected AD integration enabled lateral movement in some cases.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Scale of Exploitation

CVE-2023-32315 saw unusually rapid and broad exploitation:

  • Public PoC code was available within days of the May 2023 disclosure
  • VulnCheck scans identified over 3,000 compromised Openfire instances by July 2023, servers with attacker-installed plugins visible via Shodan
  • Multiple independent threat actor clusters exploited the vulnerability simultaneously
  • Cryptomining was the most common observed payload, but espionage-focused actors also used the access for credential harvesting and internal network reconnaissance

The CVSS score of 7.5 somewhat understates the real-world risk, it reflects the requirement that the admin console be network-accessible, but does not fully capture the trivial exploit complexity (single HTTP request) and the immediate RCE outcome.

Detection

Indicators of CVE-2023-32315 exploitation:

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Remediation

Steps in order of priority:

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2023-32315 is a reminder that messaging infrastructure is enterprise security-critical infrastructure. An Openfire server with an internet-accessible admin console and a trivially bypassed authentication check became a mass-exploitation target within days of disclosure, and over 3,000 servers were compromised before most administrators had applied the patch. The lesson is operational: any admin interface should be network-restricted by default, regardless of what authentication the application itself provides. Firewalls protecting admin ports are a defense-in-depth measure that can contain entire vulnerability classes before a patch is ever applied.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2023-32315?

CVE-2023-32315 is a path traversal vulnerability in the Openfire XMPP server admin console that allows unauthenticated attackers to bypass the admin authentication filter by accessing setup wizard URLs. This gives access to admin console functionality including plugin upload, which attackers exploit to install malicious plugins containing arbitrary Java code.

What is Openfire and why is it a target?

Openfire is an open-source XMPP (Jabber) messaging server widely used in enterprise environments for internal instant messaging. It is often deployed on-premises and integrated with Active Directory for authentication. Compromising an Openfire server can expose internal communications, user credentials, and provide a foothold inside the corporate network.

How do attackers achieve RCE from an authentication bypass?

Once the authentication bypass gives unauthenticated access to the Openfire admin console, attackers upload a malicious Openfire plugin, a standard JAR file containing a Java servlet. Openfire loads and executes plugins automatically, running the malicious servlet code with the privileges of the Openfire Java process. This is effectively arbitrary Java code execution on the server.

Is CVE-2023-32315 still being exploited in 2026?

Yes. While the initial mass exploitation wave peaked in mid-2023, automated scanning for vulnerable Openfire installations continues in 2026. CISA added CVE-2023-32315 to its [Known Exploited Vulnerabilities (KEV) catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog), meaning any organization still running unpatched Openfire versions 3.10.0 through 4.7.4 remains actively targeted. Patch to Openfire 4.7.5 or later immediately. Any Openfire instance that was internet-facing during mid-2023 should be treated as potentially compromised and audited for residual web shells or installed plugins of unknown origin.

What is the CVE-2023-32315 CVSS score and severity?

CVE-2023-32315 has a CVSS v3.1 base score of 7.5 (High). However, because it is pre-authentication, requires no special privileges or user interaction, and chains directly to arbitrary code execution via plugin upload, the operational severity for internet-facing Openfire deployments is effectively critical. CISA's inclusion in KEV reflects the active exploitation that makes the practical risk higher than the CVSS base score alone suggests.

Does restricting the Openfire admin console port to internal networks prevent CVE-2023-32315?

Yes, for remote exploitation. CVE-2023-32315 exploits the Openfire admin console, which runs on port 9090 (HTTP) or 9091 (HTTPS) by default. If these ports are blocked at the network perimeter and accessible only from trusted internal management IPs, the authentication bypass cannot be triggered by a remote attacker. This network-level control eliminates the internet-facing attack surface for CVE-2023-32315 and all future admin console vulnerabilities regardless of patch status. However, internal network restriction does not protect against an attacker who has already gained an internal network foothold, patching remains mandatory for complete protection. Many of the 3,000+ compromised Openfire servers in the 2023 exploitation wave had admin consoles directly internet-accessible, a configuration that should never exist.

Sources & references

  1. VulnCheck, CVE-2023-32315 Analysis
  2. Ignite Realtime Security Advisory
  3. CISA Known Exploited Vulnerabilities Catalog
  4. NVD, CVE-2023-32315

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.