The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:HApache Activemq
APPApache< 5.15.165.16.0 – 5.16.7 (bez)5.17.0 – 5.17.6 (bez)5.18.0 – 5.18.3 (bez)Apache Activemq Legacy Openwire Module
APPApache< 5.15.165.16.0 – 5.16.7 (bez)5.17.0 – 5.17.6 (bez)5.18.0 – 5.18.3 (bez)Debian
OSDebian10.011.0Netapp E Series Santricity Unified Manager
APPNetappwszystkie wersjeNetapp E Series Santricity Web Services Proxy
APPNetappwszystkie wersjeNetapp Santricity Storage Plugin
APPNetappwszystkie wersje
CISA KEV — detailsi
- Vendori
- Apache ↗
- Producti
- ActiveMQ
- Added to KEVi
- November 2, 2023
- Remediation deadline (US Federal)i
- November 23, 2023(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.
Related vulnerabilities
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki