CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2023-46604

CVSS 10.0v3.1pub. 2023-10-27upd. 2025-11-04

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
  • Apache Activemq

    APP
    Apache
    < 5.15.165.16.0 – 5.16.7 (bez)5.17.0 – 5.17.6 (bez)5.18.0 – 5.18.3 (bez)
  • Apache Activemq Legacy Openwire Module

    APP
    Apache
    < 5.15.165.16.0 – 5.16.7 (bez)5.17.0 – 5.17.6 (bez)5.18.0 – 5.18.3 (bez)
  • Debian

    OS
    Debian
    10.011.0
  • Netapp E Series Santricity Unified Manager

    APP
    Netapp
    wszystkie wersje
  • Netapp E Series Santricity Web Services Proxy

    APP
    Netapp
    wszystkie wersje
  • Netapp Santricity Storage Plugin

    APP
    Netapp
    wszystkie wersje

CISA KEV — detailsi

Vendori
Apache
Producti
ActiveMQ
Added to KEVi
November 2, 2023
Remediation deadline (US Federal)i
November 23, 2023(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to run shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 23 listopada 2023
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki