The flaw, identified as ZDI-25-266 and ZDI-CAN-22235, affects Apache ActiveMQ NMS OpenWire Client versions before 2.1.1.
It arises from improper validation in the Body accessor method, which enables the deserialization of untrusted data.
This security lapse can be exploited when the client connects to a malicious or compromised server, allowing attackers to send specially crafted responses that trigger code execution within the context of the client application.
The vulnerability is classified as critical, with a CVSS score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its potential impact on confidentiality, integrity, and availability.
Attackers do not require authentication or user interaction to exploit the flaw, although the attack complexity is rated as high due to the need for interaction with the vulnerable library.
The root cause lies in deserialization flaws-specifically, the failure to adequately restrict what classes can be deserialized when receiving data from untrusted servers.
Although version 2.1.0 introduced an allow/denylist mechanism to mitigate such risks, researchers found that it could be bypassed, leaving systems exposed until version 2.1.1
Apache has released an update (version 2.1.1) to address the vulnerability. Users are strongly urged to upgrade immediately.
As a temporary measure, organizations should avoid connecting to untrusted servers and implement network-level restrictions to limit exposure.
Failing to address this vulnerability could result in full system compromise, data theft, or service disruption.
Organizations should prioritize patching, review their server trust policies, and monitor for suspicious activity related to messaging infrastructure.
For more details and official guidance, refer to the Apache advisory.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
The post Apache ActiveMQ Flaw Enables Remote Code Execution by Attackers appeared first on Cyber Security News.
If you're a Windows user who's looking for a PC version of the Apple Mac…
FORT WAYNE, Ind. (WOWO) — The state of Indiana has agreed to let the Indiana…
FORT WAYNE, Ind. (WOWO) — Severe thunderstorms are expected to move across central Indiana in…
Universal Pictures and Focus Features have taken the stage at CinemaCon. We're expecting new looks…
Maritza Montejo, a Liberty Tax Service office manager, helps Aurora Hernandez, left, with her taxes…
The Rockford Education Association is accusing Rockford Public Schools 205 of unfair labor practices. The…
This website uses cookies.