{
	"id": "3cd99719-469d-4e97-b89d-21a8847c90b2",
	"created_at": "2026-04-06T00:18:08.014601Z",
	"updated_at": "2026-04-10T13:12:01.978732Z",
	"deleted_at": null,
	"sha1_hash": "c94b9d81c0ac353fc718707effa9481430cbad5e",
	"title": "Kinsing Malware Exploits Novel Openfire Vulnerability - Aqua",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2546412,
	"plain_text": "Kinsing Malware Exploits Novel Openfire Vulnerability - Aqua\r\nBy Assaf Morag\r\nPublished: 2023-08-29 · Archived: 2026-04-05 17:42:17 UTC\r\nAqua Nautilus discovered a new campaign that exploits the Openfire vulnerability (CVE-2023-32315), that was\r\ndisclosed in May of this year, to deploy Kinsing malware and a cryptominer. This vulnerability leads to a path\r\ntraversal attack, which grants an unauthenticated user access to the Openfire setup environment. This then allows\r\nthe threat actor to create a new admin user and upload malicious plugins. Eventually the attacker can gain full\r\ncontrol over the server. In this blog, we explain the vulnerability, Kinsing’s campaign, and quantify the extent of\r\ninstances potentially exposed to this specific vulnerability. For example, our dedicated Openfire honeypot\r\ndemonstrated over 1,000 attacks in less than two months.\r\nThe Openfire Vulnerability\r\nOpenfire is a real-time collaboration (RTC) server that is used as a chat platform for sending instant messages over\r\nthe XMPP protocol (Extensible Messaging and Presence Protocol). It is designed as an internal IM server for\r\nenterprises, supporting more than 50,000 concurrent users and providing them with a secure and segmented\r\nchannel for communication across different departments within an organization.\r\nIn May this year, a new vulnerability (CVE-2023-32315) was discovered in the Openfire console. This\r\nvulnerability, which was found in the console, is related to path traversal through the setup environment. This flaw\r\nallows an unauthorized user to exploit the unauthenticated Openfire Setup Environment within an established\r\nOpenfire configuration. As a result, a threat actor gains access to the admin setup files that are typically restricted\r\nwithin the Openfire Admin Console. Next, the threat actor can choose between either adding an admin user to the\r\nconsole or uploading a plugin which will eventually allow full control over the server.\r\nThe anatomy of the Kinsing campaign\r\nThis Kinsing campaign exploits the vulnerability, drops in runtime Kinsing malware and a cryptominer, tries to\r\nevade detection and gain persistence. This is illustrated in the attack flow chart below:\r\nhttps://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/\r\nPage 1 of 12\n\nThe threat actor scans the internet for Openfire servers (an example can be found below), and once a server is\r\nfound, it is automatically tested if the server is vulnerable to CVE-2023-32315.\r\nThis vulnerability allows the creation of a new admin user with the ability to upload plugins. In this campaign, the\r\nthreat actor uses the vulnerability to create a new admin user and upload a plugin (cmd.jsp), which was designed\r\nto deploy the main payload – Kinsing malware.\r\nAs seen in figure 2 below, the threat actor is sending a user create command to the user-create.jsp.\r\nFigure 2: The request made by the attacker to create a new user on our Openfire server\r\nThe request is constructed from the following fields:\r\nCreate – the create=%E5%88%9B%E5%BB%BA%E7%94%A8%E6%88%B7 argument is an html\r\nencoding that translates to 创建用户 which is in Chinese and stands for create user.\r\nCSRF – A unique token generated on the server side and shared with the client to safeguard against CSRF\r\nattacks. Incorrect validation of the token when using the GET method allows bypassing the validation.\r\nUsername – Adding a name of the new created user.\r\nPassword – Adding a password to the new created user.\r\nConfirm – Password reentry for the new user.\r\nisAdmin – Grants the new user Admin permissions.\r\nCreate – Sends the above data to create the new user.\r\nOnce the new user is successfully created, it enables the threat actor to undergo a valid authentication process for\r\nthe Openfire Administration Panel, thereby gaining complete access as an authenticated user. Furthermore, since\r\nthe user is created as an admin, this grants the threat actor with elevated permissions within the system.\r\nhttps://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/\r\nPage 2 of 12\n\nNext, the threat actor is uploading a malicious plugin that allows web shell commands on the server, as seen in\r\nFigure 3 below.\r\nFigure 3: Successful upload of a zipped Metasploit framework\r\nThe threat actor uploads a zip file which is a Metasploit exploit aimed to extend the cmd.js p to enable http\r\nrequests at the threat actor’s disposal. This allows downloading the Kinsing malware which is hard coded in the\r\nplugin. As depicted in Figure 4 below, the file was flagged in VirusTotal (VT) as malicious (backdoor/Kinsing) by\r\ntwo vendors.\r\nFigure 4: VirusTotal scan of the zipped Metasploit file\r\nThe zip file contains a malicious jar file , but has no detections in VT.\r\nIn Figure 5 below you can see a snippet from this JAR file that sheds some more light on its purpose.\r\nhttps://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/\r\nPage 3 of 12\n\nFigure 5: A snippet from the main payload in the attack\r\nThis plugin contains a Java class named cmd.jsp  that is a backdoor which enables downloading files and\r\nexecuting commands on the server.\r\nNext, there’s a broad communication between the C2 server and the malware (which we will further elaborate on\r\nin a future dedicated blog). Next a new shell script is downloaded as a secondary payload.\r\nThis script creates a cronjob and delete competition, so it’s designed to make persistence on the server, as can be\r\nseen in Figures 6 and 7 below.\r\nhttps://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/\r\nPage 4 of 12\n\nFigure 6: Establishing Server Persistence Through Cronjob\r\nhttps://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/\r\nPage 5 of 12\n\nFigure 7: Eliminating old/competing attacks\r\nVulnerable Openfire Servers in the Wild\r\nSince Openfire is being used by large organizations around the world, we were curious about the level of exposure\r\nin the wild. We queried Shodan (IPs search engine) and found 6,419 internet connected servers with Openfire\r\nservice running. Out of this initial number 1,383 (21.5%) weren’t reachable. We were left with 5,036 servers, out\r\nof which 984 were vulnerable to this vulnerability (19.5%).\r\nBelow in figure 8, you can see the geo location spread of these servers, as it appears that the majority are located\r\nin USA, China and Brazil.\r\nFigure 8: Openfire vulnerability instances Map\r\nIn the beginning of July, we created an Openfire honeypot, and it was immediately targeted. As illustrated in\r\nfigure 9 below, there are dozens of attacks per day that targeted the Openfire vulnerability. The majority though\r\n(91%) were attributed to the Kinsing campaign described above.\r\nhttps://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/\r\nPage 6 of 12\n\nFigure 9: Our Openfire honeypot attack trend between July 1st and August 23rd\r\nWe found that our honeypot was targeted by two distinct types of attacks. One that was broadly discussed above,\r\nwhich deploys a web shell and enables the attacker to download Kinsing malware and cryptominers, all the\r\nattacks seem to be connected. The second one involves the same Metasploit exploit to deploy the web shell, but\r\nwe haven’t seen any specific tools used during this attack. The attackers collected information about the system\r\nbut didn’t continue their attack.\r\nHow to Secure Your Environment\r\nAs the count of newly discovered vulnerabilities continues to rise, estimated to reach tens of thousands each year,\r\nwe must heighten our awareness and invest more attention in maintaining our resources. This blog underscores\r\nhow vulnerabilities can impact the entire environment, putting it at risk. Through the exploitation of the\r\nvulnerability, the threat actor gains authentication as an admin user, enabling the ability to execute actions within\r\nthe Openfire Administration Console, and ultimately, execute malicious commands remotely.\r\nTo protect against these types of attacks, we propose adhering to the following guidelines:\r\n1. Keep Your Environment Up to Date\r\nGiven that vulnerabilities are periodically unveiled, it’s paramount to stay vigilant regarding updates and security\r\nalerts. Should you discover that one of your instances is susceptible, promptly undertake updates in accordance\r\nwith the distributor’s guidelines. The Aqua Platform allows you to easily detect novel vulnerabilities. We built a\r\nvulnerable Openfire application to serve as our honeypot, in the screenshots below you can see our validation\r\nprocess to scan the newly created container image to verify it is vulnerable to the abovementioned vulnerability.\r\nAs illustrated in figure 10, we set the scanner to fail any images with a severity score high or critical. In this case\r\nthe only vulnerability was the Openfire CVE-2023-32315, which failed the compliance of the container image.\r\nhttps://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/\r\nPage 7 of 12\n\nFigure 10: The Aqua platform fails the build when a high rank vulnerability is detected\r\nFigure 11: Vulnerability details as seen in the Aqua platform\r\n2. Configure Environments Diligently\r\nhttps://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/\r\nPage 8 of 12\n\nSteer clear of employing default settings and ensure that passwords adhere to best practices. Regularly refreshing\r\nsecrets and passwords further bolsters the security of your environments.\r\n3. Conduct Thorough Environment Scans for Unknown Threats\r\nThreat actors are progressively refining their tactics, camouflaging their activities to resemble legitimate\r\noperations, making the detection of their actions a formidable challenge. Consequently, runtime detection and\r\nresponse solutions can prove invaluable in identifying anomalies and issuing alerts about malicious activities. Our\r\nruntime protection module on the Aqua Platform detected the Kinsing attack as illustrated in the screenshots\r\nbelow.\r\nhttps://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/\r\nPage 9 of 12\n\nFigure 12: The attack timeline in the Aqua platform\r\nFigure 13: Event description – Kinsing malware conducts direct communication to download the cryptominer\r\nFigure 14: Drift Detection in the Aqua platform: The file kdevtmpfsi (a Monero cryptominer) is downloaded into\r\nthe container\r\nIndications of Compromise (IOCs)\r\nName Type SHA256\r\nFiles\r\nKinsing Binary 0a28885748fcd4a9709e829bfec4718756c01b0cc498d61e8936fddf1f0b0203\r\n32acdf28ddcdcfe360f04235501189204424e46e091738cc757c970c9dd4e98e\r\n39880b2edc31cf107149477390bf7a63760b0b86870e8058e7197057e703c39d\r\n59812a7eb6e67ad8d2e4093ec35744edd98360d0dd6eb3ab9048ebc62cc72745\r\n787e2c94e6d9ce5ec01f5cbe9ee2518431eca8523155526d6dc85934c9c5787c\r\n7c5ceabd26a953f45b6179d7f751168a986781e7f7bfdb792fc710f7067ca1d9\r\nhttps://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/\r\nPage 10 of 12\n\nName Type SHA256\r\nb070a335e74f8cb7c6fbfb616c0e27fda7b9ef937887be5de112b1471539301b\r\nb5396a49f021854d7ed5eb81ee18516dadc99c23d0f1858e10f3791794b2038b\r\nCryptomining Binary 631d0eac8278f4c8090dcc89c905eebdac5ad03db6cf33be1f0a5a39ce6fff1a\r\n6fc94d8aecc538b1d099a429fb68ac20d7b6ae8b3c7795ae72dd2b7107690b8f\r\nIP Addresses\r\nAttacker IP 109.237.96.251\r\n109.237.96.124\r\n5.35.101.62\r\n103.164.138.183\r\n51.222.154.100\r\n65.21.151.9\r\n162.142.125.215\r\n83.97.73.87\r\n167.248.133.36\r\n152.89.198.113\r\nMalware host 185.154.53.140\r\n185.221.154.208\r\n31.184.240.34\r\n45.15.158.124\r\n194.87.252.159\r\nMalicious Plugins\r\nKinsing Plugin JAR 871e3151d736b7402efdab403eb4e44d50544161814da9a348df9debd3e4ebf3\r\n0f1f0a4a46b698e513aa696841f2692ef0785f24e8ef6d4c0d782ad55e00d178\r\nMetasplopit\r\nPlugin\r\nJAR 3d43218f0e503e9ebc63eff76df7a63ab20a0e9dc971fa70df8bb6f521ae1794\r\n90bbb4ba3d2cbe9bd5e450a97a156419638a89a1b9b326159852e64d43213d28\r\nhttps://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/\r\nPage 11 of 12\n\nName Type SHA256\r\n43eeef9c170b8aadc6d737660a5a76d84f3d66b7763061b326a8a4dc67dd8cbd\r\n8809368b73f1971bd107cd88c699ccf6defc62e52adf9469f9fd894a5fdc8c65\r\n5744ab64eca9e154b487b5c6b729ef7ed8232c4a5ca157bbecbc6fe924ba14c3\r\nc7c6da81edf49a8e916eaa2eb0d77d3cc90efe6bd018cef35f93462cd52fb45b\r\nBackdoor Plugin JAR 4cc22c8064c713466edfb1fb367c1c7e166014a67e4db1a308c92a012dd2827a\r\nAssaf is the Director of Threat Intelligence at Aqua Nautilus. He is responsible of acquiring threat intelligence\r\nrelated to software development life cycle in cloud native environments, supports the team's data needs, and helps\r\nAqua and the ecosystem remain at the forefront of emerging threats and protective methodologies. His research\r\nhas been featured in leading information security publications and journals worldwide, and he has presented at\r\nleading cybersecurity conferences. Notably, Assaf has also contributed to the development of the new MITRE\r\nATT\u0026CK Container Framework.\r\nAssaf is leading an O’Reilly course, focusing on cyber threat intelligence in cloud-native environments. The\r\ncourse covers both theoretical concepts and practical applications, providing valuable insights into the unique\r\nchallenges and strategies associated with securing cloud-native infrastructures.\r\nNitzan Yaakov\r\nNitzan was a Security Data Analyst at Aqua Nautilus research team.\r\nSource: https://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/\r\nhttps://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/"
	],
	"report_names": [
		"kinsing-malware-exploits-novel-openfire-vulnerability"
	],
	"threat_actors": [
		{
			"id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3",
			"created_at": "2023-01-06T13:46:39.390649Z",
			"updated_at": "2026-04-10T02:00:03.311299Z",
			"deleted_at": null,
			"main_name": "Kinsing",
			"aliases": [
				"Money Libra"
			],
			"source_name": "MISPGALAXY:Kinsing",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434688,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c94b9d81c0ac353fc718707effa9481430cbad5e.pdf",
		"text": "https://archive.orkl.eu/c94b9d81c0ac353fc718707effa9481430cbad5e.txt",
		"img": "https://archive.orkl.eu/c94b9d81c0ac353fc718707effa9481430cbad5e.jpg"
	}
}