Detections
Analytics
Openfire < 5.0.2 / 5.1.0 Identity Spoofing
medium Nessus Plugin ID 265328
Language:
Synopsis
The remote host contains an application that is affected by an identity spoofing vulnerability.Description
The remote host is running a version of Openfire that is affected by an identity spoofing vulnerability. Openfire’s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls X509Certificate.getSubjectDN().getName() and applies a regex to look for CN=. This method produces a provider-dependent string that does not escape special characters. In SunJSSE (sun.security.x509.X500Name), for example, commas and equals signs inside attribute values are not escaped.As a result, a malicious certificate can embed CN= inside another attribute value (e.g. OU='CN=admin,'). The regex will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to impersonate another user.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to version 5.0.2, 5.1.0 or later.See Also
Plugin Details
Severity: Medium
ID: 265328
File Name: openfire_5_1_0.nasl
Version: 1.2
Type: remote
Family: CGI abuses
Published: 9/17/2025
Updated: 9/19/2025
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.0
CVSS v2
Risk Factor: High
Base Score: 7.3
Vector: CVSS2#AV:N/AC:M/Au:M/C:C/I:C/A:N
CVSS Score Source: CVE-2025-59154
CVSS v3
Risk Factor: Medium
Base Score: 5.9
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Vulnerability Information
CPE: cpe:/a:igniterealtime:openfire
Required KB Items: installed_sw/Openfire Console
Patch Publication Date: 9/15/2025
Vulnerability Publication Date: 9/15/2025
Reference Information
CVE: CVE-2025-59154
CWE: 290
IAVB: 2025-B-0153