Connect with us

Hi, what are you looking for?


Malware & Threats

Apache ActiveMQ Vulnerability Exploited as Zero-Day

The recently patched Apache ActiveMQ vulnerability tracked as CVE-2023-46604 has been exploited as a zero-day since at least October 10.

Malicious exploitation of an Apache ActiveMQ vulnerability tracked as CVE-2023-46604 started at least two weeks prior to patches being released, according to managed detection and response firm Huntress.  

Apache ActiveMQ is a popular open source, multi-protocol message broker, and there are still thousands of internet-exposed instances that are vulnerable to attacks exploiting CVE-2023-46604, which can be leveraged for remote code execution. 

A patch for the vulnerability was committed to the source code on October 24 and the existence of the security flaw was made public on October 27. 

Rapid7 started seeing exploitation attempts on the same day, with attackers apparently trying to deliver HelloKitty ransomware, whose source code was leaked in early October.

However, Huntress has found evidence that CVE-2023-46604 was exploited as a zero-day since at least October 10.

“At the time that the events were investigated, Huntress analysts found no additional, subsequent malicious activity on the endpoint, indicating that the infection process did not succeed,” the company said in a blog post on Thursday. 

Technical details and proof-of-concept (PoC) code for CVE-2023-46604 are publicly available. In addition, exploitation of the vulnerability is trivial and there is even a Metasploit module that automates exploitation. 

That’s why it’s important that users update ActiveMQ as soon as possible to versions 5.15.16, 5.16.7, 5.17.6 or 5.18.3, which patch the flaw.

Advertisement. Scroll to continue reading.

Indicators of compromise (IoCs) are available from both Rapid7 and Huntress

This is not the first Apache ActiveMQ vulnerability that has been exploited in the wild. The US cybersecurity agency CISA warned last year that CVE-2016-3088, which allows remote attackers to upload and execute arbitrary files, has also been leveraged for malicious purposes. 

Related: Companies Address Impact of Exploited Libwebp Vulnerability 

Related: Recently Patched TeamCity Vulnerability Exploited to Hack Servers

Related: Recent NetScaler Vulnerability Exploited as Zero-Day Since August

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.