๐Ÿ” CVE Alert

CVE-2023-46604

CRITICAL 10.0 โš ๏ธ CISA KEV

Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack

CVSS Score
10.0
EPSS Score
0.0%
EPSS Percentile
0th

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

CWE CWE-502
Vendor apache software foundation
Product apache activemq
Published Oct 27, 2023
Last Updated Nov 3, 2025
โš ๏ธ Actively Exploited โ€” Act Now

Get instant alerts for apache software foundation apache activemq

This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2023-46604.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
High

Affected Versions

Apache Software Foundation / Apache ActiveMQ
5.18.0 < 5.18.3 5.17.0 < 5.17.6 5.16.0 < 5.16.7 0 < 5.15.16
Apache Software Foundation / Apache ActiveMQ Legacy OpenWire Module
5.18.0 < 5.18.3 5.17.0 < 5.17.6 5.16.0 < 5.16.7 5.8.0 < 5.15.16

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
activemq.apache.org: https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt openwall.com: https://www.openwall.com/lists/oss-security/2023/10/27/5 security.netapp.com: https://security.netapp.com/advisory/ntap-20231110-0010/ packetstormsecurity.com: https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html lists.debian.org: https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html seclists.org: http://seclists.org/fulldisclosure/2024/Apr/18 lists.debian.org: https://lists.debian.org/debian-lts-announce/2024/10/msg00027.html cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-46604

Credits

[email protected]