⚠ Actively exploited
Added to CISA KEV on 2023-09-06. Federal agencies required to patch by 2023-09-27. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..
CVE-2023-33246
Severity
9.8CRITICAL
EPSS
94.4%
top 0.03%
CISA KEV
KEV
Added 2023-09-06
Due 2023-09-27
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedMay 24
KEV addedSep 6
KEV dueSep 27
Latest updateOct 14
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution.
Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages5 packages
🔴Vulnerability Details
5OSV▶
Apache RocketMQ may have remote code execution vulnerability when using update configuration function↗2023-07-06
GHSA▶
Apache RocketMQ may have remote code execution vulnerability when using update configuration function↗2023-07-06
CVEList▶
Apache RocketMQ: Possible remote code execution vulnerability when using the update configuration function↗2023-05-24
💥Exploits & PoCs
2Nuclei▶
RocketMQ <= 5.1.0 - Remote Code Execution
Nuclei▶
Apache RocketMQ - Remote Command Execution
🔍Detection Rules
1Suricata▶
ET WEB_SPECIFIC_APPS Apache RocketMQ 5.1.0 Arbitrary Code Injection in Broker Config (CVE-2023-33246)↗2023-09-07
📋Vendor Advisories
2🕵️Threat Intelligence
5Bleepingcomputer
▶