Despite the released safety reasons, thousands of Openfire servers are subject to an actively operated critical vulnerability CVE-2023-32315 (CVSS: 7.5).
Openfire is a popular open chat server (XMPP) based on Java and has been downloaded more than 9 million times. This vulnerability allows an unauthorized attacker to create new administrator accounts and load malicious plugins.
In May 2023, it was discovered that Openfire versions starting from 3.10.0 (April 2015) are vulnerable to authentication bypass vulnerabilities. The developers have released several security updates (versions 4.6.8, 4.7.5, and 4.8.0). However, in June, reports emerged that the vulnerability is actively being exploited on non-updated servers.
Vulncheck noted that many server administrators are not promptly installing the updates. According to Vulncheck, approximately 3,000 servers are still vulnerable.
Currently, there are 6,324 Openfire servers with open access to the Internet, of which half (3,162 servers) are still at risk of infection due to using outdated software versions.
The Vulncheck report also revealed a new, more covert method of exploiting the vulnerability. Unlike existing methods traceable in audit journals, this new method allows attackers to load malicious plugins without the need to create an administrator account, making the attack less detectable.
The vulnerability is already being actively exploited in real-world conditions.
The exploitation of this vulnerability can involve various types of attacks, such as code injection, botnet usage, phishing, distribution of malware, and others. Attackers can exploit these attacks to steal personal data, disrupt systems, extort funds, or engage in other illicit activities.
The fight against “exploitation in the wild” involves detecting vulnerabilities, developing and deploying patches, updating antivirus databases, and providing cybersecurity training to users to mitigate the risk of attacks.