CVE-2008-6508

Openfire < 3.6.0a - Unauthenticated Path Traversal via Admin Console URI

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2008-6508. PoCs published by Metasploit, Andreas Kurtz, Andreas Kurtz, h0ng10, including Metasploit module exploits/multi/http/openfire_auth_bypass.

AI-analyzed exploit summary This Metasploit module exploits an authentication bypass vulnerability in Openfire's admin console to upload and execute a malicious plugin, achieving arbitrary Java code execution. It has been tested against Openfire 3.6.0a.

Description

Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a .. (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/.. sequence in a URI.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubywebappsjsp
https://www.exploit-db.com/exploits/19432

This Metasploit module exploits an authentication bypass vulnerability in Openfire's admin console to upload and execute a malicious plugin, achieving arbitrary Java code execution. It has been tested against Openfire 3.6.0a.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Openfire 3.6.0a
No auth needed
Prerequisites: Network access to the Openfire admin console (port 9090 by default)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Andreas Kurtz · textwebappsjsp
https://www.exploit-db.com/exploits/7075

This advisory details multiple vulnerabilities in Openfire Server <= 3.6.0a, including authentication bypass, SQL injection, and XSS. It provides technical descriptions and proof-of-concept examples for each vulnerability.

Classification
Writeup 100%
Attack Type
Auth Bypass | Sqli | Xss
Complexity
Moderate
Reliability
Reliable
Target: Openfire Server <= 3.6.0a
No auth needed
Prerequisites: Access to the Openfire admin interface · SIP plugin installation for SQLi exploitation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Andreas Kurtz, h0ng10 · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/openfire_auth_bypass.rb

This Metasploit module exploits an authentication bypass vulnerability in Openfire's admin console to upload and execute a malicious plugin, achieving arbitrary Java code execution. It targets Openfire versions up to 3.6.0a.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Openfire <= 3.6.0a
No auth needed
Prerequisites: Network access to Openfire admin console (port 9090 by default) · Vulnerable Openfire version (<= 3.6.0a)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (11)

Core 11
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7075
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/32478
Exploit vdb-entry x_refsource_osvdb
http://osvdb.org/49663
Various Sources x_refsource_misc
http://www.andreas-kurtz.de/archives/63
Patch, Vendor Advisory x_refsource_confirm
http://www.igniterealtime.org/issues/browse/JM-1489
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/32189
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/46488
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/498162/100/0/threaded
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/3061

Scores

EPSS 0.8281
EPSS Percentile 99.6%

Details

CWE
CWE-22
Status published
Products (25)
igniterealtime/openfire 2.6.0
igniterealtime/openfire 2.6.1
igniterealtime/openfire 2.6.2
igniterealtime/openfire 3.0.0
igniterealtime/openfire 3.0.1
igniterealtime/openfire 3.1.0
igniterealtime/openfire 3.1.1
igniterealtime/openfire 3.2.0
igniterealtime/openfire 3.2.1
igniterealtime/openfire 3.2.2
... and 15 more
Published Mar 23, 2009
Tracked Since Feb 18, 2026