Malicious exploitation of an Apache ActiveMQ vulnerability tracked as CVE-2023-46604 started at least two weeks prior to patches being released, according to managed detection and response firm Huntress.
Apache ActiveMQ is a popular open source, multi-protocol message broker, and there are still thousands of internet-exposed instances that are vulnerable to attacks exploiting CVE-2023-46604, which can be leveraged for remote code execution.
A patch for the vulnerability was committed to the source code on October 24 and the existence of the security flaw was made public on October 27.
Rapid7 started seeing exploitation attempts on the same day, with attackers apparently trying to deliver HelloKitty ransomware, whose source code was leaked in early October.
However, Huntress has found evidence that CVE-2023-46604 was exploited as a zero-day since at least October 10.
“At the time that the events were investigated, Huntress analysts found no additional, subsequent malicious activity on the endpoint, indicating that the infection process did not succeed,” the company said in a blog post on Thursday.
Technical details and proof-of-concept (PoC) code for CVE-2023-46604 are publicly available. In addition, exploitation of the vulnerability is trivial and there is even a Metasploit module that automates exploitation.
That’s why it’s important that users update ActiveMQ as soon as possible to versions 5.15.16, 5.16.7, 5.17.6 or 5.18.3, which patch the flaw.
This is not the first Apache ActiveMQ vulnerability that has been exploited in the wild. The US cybersecurity agency CISA warned last year that CVE-2016-3088, which allows remote attackers to upload and execute arbitrary files, has also been leveraged for malicious purposes.