Tracked as CVE-2025-54539, this deserialization of untrusted data flaw carries an important severity rating and can allow malicious AMQP servers to execute arbitrary code on vulnerable client applications.
Organizations using the affected library are urged to apply updates without delay to shore up their messaging security posture.
Researchers at Endor Labs discovered that the Apache ActiveMQ NMS AMQP Client’s deserialization logic does not sufficiently validate data received from AMQP servers.
When a client establishes a connection to an untrusted server, specially crafted responses exploit the client’s unbounded deserialization routines. In effect, a deceitful server can package malicious payloads that trigger arbitrary code on the client side upon deserialization.
Although version 2.1.0 of the client introduced an allow/deny list feature to curb unsafe types, the researchers demonstrated ways to bypass these restrictions under specific conditions, rendering that defense ineffective.
The issue arises from the reliance on .NET binary serialization, a legacy mechanism being phased out by Microsoft in the upcoming .NET 9 release.
Apache maintainers noted that they are closely monitoring the deprecation timeline and considering the complete removal of binary serialization support from the NMS API in future ActiveMQ releases. However, this timetable leaves a critical window during which numerous .NET applications remain susceptible.
ActiveMQ serves as a backbone for enterprise messaging, powering event-driven architectures, microservices communication, and IoT telemetry pipelines. Its NMS (Native Messaging Service) API provides .NET applications with AMQP connectivity to ActiveMQ brokers.
Adoption of the NMS AMQP Client extends across financial institutions, healthcare platforms, and logistics systems—any sector where reliable, high-throughput messaging is essential.
Because the vulnerability can be triggered simply by connecting to a hostile AMQP server, even hardened network perimeters offer limited protection if a client inadvertently interacts with a malicious or compromised broker.
Attackers could weaponize public AMQP endpoints, third-party message exchanges, or internal staging servers to deliver payloads, potentially taking control of downstream services and exfiltrating sensitive data.
To address CVE-2025-54539, Apache ActiveMQ contributors have released version 2.4.0 of the NMS AMQP Client, which includes a fortified deserialization module that rejects untrusted types by default and incorporates stricter validation checks.
Users are strongly encouraged to upgrade immediately. Projects that rely heavily on .NET binary serialization should begin planning a migration to safer serialization frameworks such as JSON or protocol buffers to eliminate lingering attack surfaces.
In parallel, development teams should audit AMQP connection sources and enforce allow lists at the network level to restrict clients to known, trusted brokers. Incorporating runtime monitoring and anomaly detection can further alert administrators to suspicious deserialization events.
As Apache ActiveMQ evolves beyond binary serialization, these layered defenses will be critical in maintaining robust, resilient messaging environments.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Critical Apache ActiveMQ Flaw Enables Remote Code Execution appeared first on Cyber Security News.
Ubiquiti Networks has released urgent security updates to address a series of highly critical vulnerabilities…
PERU, Ind. (WOWO) — Indiana State Police detectives are investigating a shooting that occurred late…
An empty field lies next to the Tennessee Truck Center at Ford's BlueOval City campus…
Riot Games has stepped in to squash rumors that it is using its Vanguard anti-cheat…
For Memorial Day, Dell is offering an Alienware 16X Aurora gaming laptop that's loaded with…
Forza Horizon 6 for PC and Xbox was released on May 19. This is the…
This website uses cookies.