Back to KEVs

CVE-2023-46604

Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack

Basic Information

CVE State: PUBLISHED
Reserved Date: October 24, 2023
Published Date: October 27, 2023
Last Updated: February 13, 2025
Vendor: Apache Software Foundation
Product: Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module
Description: The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: Total

Exploit Status

Exploited in the Wild: Yes (added 2023-11-02 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2024-10-16 03:31:13 UTC) Source
Used in Malware: Yes (added 2023-11-02 00:00:00 UTC) Source

References

https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt https://www.openwall.com/lists/oss-security/2023/10/27/5 https://security.netapp.com/advisory/ntap-20231110-0010/ https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html http://seclists.org/fulldisclosure/2024/Apr/18

Known Exploited Vulnerability Information

Source	Added Date
CISA	2023-11-02 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/apache_activemq_rce_cve_2023_46604.rb	2025-04-29 11:01:25 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2023/CVE-2023-46604.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

apache_activemq_rce_cve_2023_46604

Type: metasploit • Created: Unknown

Metasploit module for CVE-2023-46604

cuanh2333/CVE-2023-46604

Type: github • Created: 2024-10-16 03:31:13 UTC • Stars: 0

LiritoShawshark/CVE-2023-46604_ActiveMQ_RCE_Recurrence

Type: github • Created: 2023-11-16 02:36:07 UTC • Stars: 2

CVE-2023-46604环境复现包

duck-sec/CVE-2023-46604-ActiveMQ-RCE-pseudoshell

Type: github • Created: 2023-11-12 11:26:46 UTC • Stars: 16

This script leverages CVE-2023046604 (Apache ActiveMQ) to generate a pseudo shell. The vulnerability allows for remote code execution due to unsafe deserialization within the OpenWire protocol.

h3x3h0g/ActiveMQ-RCE-CVE-2023-46604-Write-up

Type: github • Created: 2023-11-09 11:27:20 UTC • Stars: 3

justdoit-cai/CVE-2023-46604-Apache-ActiveMQ-RCE-exp

Type: github • Created: 2023-11-08 07:48:00 UTC • Stars: 5

CVE-2023-46604 Apache ActiveMQ RCE exp 基于python

evkl1d/CVE-2023-46604

Type: github • Created: 2023-11-04 11:58:21 UTC • Stars: 32

SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ

Type: github • Created: 2023-11-03 22:06:09 UTC • Stars: 114

Achieving a Reverse Shell Exploit for Apache ActiveMQ (CVE_2023-46604)