CVE-2024-25420: 
Java vulnerability analysis and mitigation

An issue in Ignite Realtime Openfire v.4.9.0 and before allows a remote attacker to escalate privileges via the admin.authorizedJIDs system property component. The vulnerability was discovered and disclosed on March 26, 2024, affecting the Openfire real-time collaboration server, which is an open-source application written in Java using the XMPP protocol for instant messaging (Openfire Website, HTB Blog).

The vulnerability stems from improper management of deleted administrative users. When an administrative user is created, their admin privileges are saved in a system property called admin.authorizedJIDs using the account's username as the key. However, when the administrative user is deleted, their username is not removed from the admin.authorizedJIDs system property. This oversight allows any new user created with the same username to automatically gain administrator privileges, even if created through XMPP registration rather than the administrative panel. The issue has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (HTB Blog).

The vulnerability allows attackers to potentially gain administrative access by bruteforcing commonly used administrator usernames during registration, particularly targeting known deleted admin accounts. This attack vector becomes more effective if the attacker has internal knowledge of the organization or can gather information about former employees through OSINT sources like LinkedIn (HTB Blog).

Organizations should upgrade to a version newer than Openfire v.4.9.0 once a patch is available. In the meantime, administrators should carefully monitor user creation activities, especially those matching previously deleted administrative accounts (NVD).