community.greenbone.net
  • Community Forum
  • Community Blog
  • Portal entry
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
Joseph Lee

CVE-2023-46604: Apache ActiveMQ Actively Exploited For RCE

Blog, Community

CVE-2023-46604 Intelligence Summary

Enterprise | CVSS 9.8

Apache ActiveMQ is vulnerable to a CVSS 9.8 high-severity remote code execution (RCE) vulnerability tracked as CVE-2023-46604 that leverages deserialization of untrusted data [CWE-502] in the OpenWire protocol. The Apache ActiveMQ message broker can be exploited remotely [T1210] for execution of arbitrary shell commands at the privilege level of the ActiveMQ process [T1068]. CISA added CVE-2023-46604 to its actively exploited catalog on November 2nd, and its exploitation is considered trivial complexity. Attacks leveraging CVE-2023-46604 have included ransomware deployment consistent with the HelloKitty and TellYouThePass ransomware variants and Kinsing cryptomining malware. Greenbone added detection for CVE-2023-46604 to the Enterprise vulnerability feed on November 7th, 2023.

The Apache ActiveMQ broker service uses the OpenWire protocol for language-agnostic communication between software components or systems on port 61616 by default. The exploit occurs by manipulating serialized class types to cause the broker to instantiate any class on the classpath. Serialization (or marshalling) is the process of converting data objects (such as functions, classes, or arrays) into an encoded format for transmission over a network or to be stored for later use. Deserialization (or unmarshalling) is the reverse process whereby the serialized data is reconstructed into the format used by a programming language – in this case The Java programming language.

ActiveMQ is built on the Spring Java Framework. CVE-2023-46604 is exploited by specifying the `ClassPathXmlApplicationContext` class for the type of data to be unmarshalled. The `ClassPathXmlApplicationContext` class will fetch a remote XML file, allowing the attacker to specify their own malicious XML hosted anywhere on the Internet to be imported. The malicious XML file can include system commands to be called via the `java.lang.ProcessBuilder.start` function. Rapid7 has posted the most detailed technical analysis on how CVE-2023-46604 can be exploited for RCE.

Mitigating CVE-2023-46604

Several Proof of concept (PoC) for CVE-2023-46604 [1][2][3] are publically available as well as a Metasploit module which will make the exploitation of an estimated 3,000 vulnerable Apache ActiveMQ servers highly probable and increasing the urgency for remediation.

Several versions of Apache ActiveMQ, ActiveMQ Artemis, and Apache ActiveMQ Legacy OpenWire Module are affected. Users are strongly urged to upgrade affected brokers and clients to fixed versions 5.15.16, 5.16.7, 5.17.6, 5.18.3, or later. Patched versions were released in late October, 2023 and ActiveMQ version 6.0.0 was released on November 17th.

Although there is no alternative workaround for preventing exploitation of CVE-2023-46604 available for ActiveMQ itself, firewall rules may be used to whitelist trusted brokers and clients to prevent access by untrusted IP addresses.

What Is A “Message Broker” Anyway?

Message Brokers (also known as Message Queue broker or “MQ”) are software services that facilitate exchange of messages between different processes on the same system or between different systems. These message queues allow “senders” and “receivers” to operate asynchronously and thus independently and also enable the creation of interconnected software systems across a distributed IT architecture. There are many popular MQs available.

by Joseph Lee
Share this entry
  • Share on LinkedIn
  • Share by Mail
https://community.greenbone.net/wp-content/uploads/2025/08/greenbone-community-portal-logo.png 0 0 Joseph Lee https://community.greenbone.net/wp-content/uploads/2025/08/greenbone-community-portal-logo.png Joseph Lee2023-12-18 11:00:502023-12-18 11:01:44CVE-2023-46604: Apache ActiveMQ Actively Exploited For RCE
Search Search
© Copyright - Greenbone AG 2022-2026
  • Privacy Policy
  • Imprint
Link to: Greenbone OpenVAS Democratizes Cybersecurity in Galicia Link to: Greenbone OpenVAS Democratizes Cybersecurity in Galicia Greenbone OpenVAS Democratizes Cybersecurity in Galicia Link to: CISA warning: Serious Security Vulnerability in MS Sharepoint Link to: CISA warning: Serious Security Vulnerability in MS Sharepoint CISA warning: Serious Security Vulnerability in MS Sharepoint
Scroll to top Scroll to top Scroll to top

This website uses only technically necessary cookies that are required for the operation and security of the website. Further information can be found in our Privacy Policy.

OKPrivacy Policy

Cookie and Privacy Settings



How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Privacy Policy

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.