⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.. Due date: 2023-11-23.

CVE-2023-46604

CWE-502Deserialization of Untrusted Data36 documents18 sources
Severity
9.8CRITICAL
EPSS
94.4%
top 0.01%
CISA KEV
KEVRansomware
Added 2023-11-02
Due 2023-11-23
Exploit
Exploited in wild
Active exploitation observed
Affected products
5
Apache Software Foundation Apache ActivemqApache Software Foundation Apache Activemq Legacy Openwire ModuleApache Activemq+2 more
Timeline
PublishedOct 27
KEV addedNov 2
KEV dueNov 23
Latest updateFeb 14
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages8 packages

Mavenorg.apache.activemq:activemq-client5.16.05.16.7+3
NVDapache/activemq5.16.05.16.7+3

Also affects: Debian Linux 10.0, 11.0

🔴Vulnerability Details

6
OSV
activemq vulnerabilities2025-02-14
OSV
CVE-2023-46604: The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution2023-10-27
OSV
Apache ActiveMQ is vulnerable to Remote Code Execution2023-10-27
CVEList
Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack2023-10-27
GHSA
Apache ActiveMQ is vulnerable to Remote Code Execution2023-10-27

💥Exploits & PoCs

2
Exploit-DB
Responsive FileManager 9.9.5 - Remote Code Execution (RCE)2023-04-05
Nuclei
Apache ActiveMQ - Remote Code Execution

🔍Detection Rules

5
Suricata
ET EXPLOIT Successful Apache ActiveMQ Remote Code Execution (CVE-2023-46604)2023-11-29
Suricata
ET INFO Remote Spring Application XML Configuration Containing ProcessBuilder Downloaded2023-11-02
Suricata
ET EXPLOIT Apache ActiveMQ Remote Code Execution Attempt (CVE-2023-46604)2023-11-02
Suricata
ET INFO Apache ActiveMQ Instance - Vulnerable to CVE-2023-46604 - Remote Instance2023-11-01
Suricata
ET INFO Apache ActiveMQ Instance - Vulnerable to CVE-2023-46604 - Local Instance2023-11-01

📋Vendor Advisories

8
Ubuntu
Apache ActiveMQ vulnerabilities2025-02-14
Oracle
Oracle Oracle Communications Risk Matrix: Patches (Apache ActiveMQ) — CVE-2023-466042025-01-15
Ubuntu
Apache ActiveMQ vulnerabilities2024-07-23
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Miscellaneous (Apache ActiveMQ) — CVE-2023-466042024-04-15
Oracle
Oracle Oracle Communications Risk Matrix: Security (Apache ActiveMQ) — CVE-2023-466042024-01-15

🕵️Threat Intelligence

11
Trendmicro
Missbrauch von Apache ActiveMQ mit bösen Folgen2023-11-23
Trendmicro
CVE-2023-46604 (Apache ActiveMQ) Vulnerability Exploited to Infect Systems With Cryptominers and Rootkits2023-11-20
Trendmicro
CVE-2023-46604 (Apache ActiveMQ) Vulnerability Exploited to Infect Systems With Cryptominers and Rootkits2023-11-20
Trendmicro
CVE-2023-46604 (Apache ActiveMQ) Vulnerability Exploited to Infect Systems With Cryptominers and Rootkits2023-11-20
Trendmicro
CVE-2023-46604 (Apache ActiveMQ) Vulnerability Exploited to Infect Systems With Cryptominers and Rootkits2023-11-20

📄Research Papers

1
CTF
RumbleInTheJungle / README2024