Security News Vulnerability in Openfire messaging software allows unauthorized access to compromised servers


Level 18
Thread author
Top Poster
May 4, 2019
In June 2023, Doctor Web was contacted by a customer reporting an incident where attackers had been able to encrypt files on their server. The investigation revealed that the infection was implemented as part of the post-exploitation of the CVE-2023-32315 vulnerability in Openfire messaging software. This exploit performs a directory traversal attack and allows unauthorized access to the administrative interface of the Openfire software, which is used by attackers to create a new user with administrative privileges. The attackers then log in using the newly created account and install the malicious plugin helloworld-openfire-plugin-assembly.jar (SHA1:41d224784242151825aa8001a35ee339a0fef2813f), which can run arbitrary code. The plugin allows shell commands to be executed on a server that has Openfire software installed on it, as well as code, written in Java, to be launched and then transmitted to the plugin in a POST request. This is exactly how the encryption trojan was launched on our customer's server.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.