How users are logging to Openfire with anonymous accounts

Hi All,

How did a user log into Openfire when he didn’t have an account, and how did he create multiple admin accounts, and how can this be prevented?

Openfire can be configured to allow for anonymous XMPP connections. Those should not be usable to create administrative accounts though. If you do not want anonymous XMPP connections, then make sure that this feature is disabled in the admin console.

When unauthorized users create an admin user, then there is a weakness being exploited in your configuration somewhere. It is impossible to tell for sure what is causing this without more data. My first thought would be an exploit of the security vulnerability that was recently reported. Are you running the latest version of Openfire?

Thank you for your reply, but if I upgrade to the latest version, does it fix the issue? How can I prevent adding anonymous users? Do I need to do anything because when I delete users, I am getting this message again and again?

It’s impossible to say if an upgrade to the latest version fixes your issue, as we do not know what causes your issue.

It is reasonable to say that if you do not upgrade to the latest version, your instance of Openfire will be vulnerable to comparable issues.