Attackers Target Max-Severity Apache ActiveMQ Bug to Drop Ransomware

More than 3,000 systems are exposed and vulnerable to attack on the Internet.

More than 3,000 Internet-accessible Apache ActiveMQ Servers are exposed to a critical remote code execution vulnerability that an attacker has begun actively targeting to drop ransomware.
The Apache Software Foundation (ASF) disclosed the vulnerability, tracked as
CVE-2023-46604
, on Oct. 27. The bug allows a remote attacker with access to an ActiveMQ message broker to execute arbitrary commands on affected systems. Proof-of-concept exploit code and full details of the vulnerability are publicly available, meaning that threat actors have both the means and the information to launch attacks against the vulnerability.
Researchers at Rapid7 reported observing exploit activity targeting the flaw at two customer locations, starting the same day that ASF disclosed the threat. In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations, researchers from Rapid7s managed detection and response team
said a in blog post
. They described both targeted organizations as running outdated versions of Apache ActiveMQ.
The researchers attributed the malicious activity to the HelloKitty ransomware family, based on the ransom note and other attack attributes. HelloKitty ransomware has been percolating in the wild since at least 2020. Its operators have tended to favor double-extortion attacks in which they have not just encrypted the data but also stolen it as additional leverage for extracting a ransom from victims.
The HelloKitty ransomware attacks leveraging the ActiveMQ flaw appeared somewhat rudimentary. In one of the attacks, the threat actor made more than a half dozen attempts to encrypt the data, prompting the researchers to label to threat actor as clumsy in their report.
Exploit code for this vulnerability has been publicly available since last week, and our researchers have confirmed exploitability, says Caitlin Condon, head of threat research at Rapid7. The threat activity Rapid7 observed looked like automated exploitation and wasnt particularly sophisticated, so we would advise that organizations patch quickly to protect against potential future exploitation.
Some 3,329 Internet-connected ActiveMQ systems are vulnerable to attack via CVE-2023-46604, according to data the ShadowServer organization released on Oct. 30.
ActiveMQ is a relatively popular open source message broker that facilitates messaging between different applications, services, and systems. The ASF
describes the technology
as the most popular open source, multi-protocol, Java-based message broker. Data analytics firm
Enlyft
has estimated some 13,120 companies — mostly small and midsize — use ActiveMQ.
CVE-2023-46604 affects multiple versions of Apache ActiveMQ and Apache ActiveMQ Legacy OpenWire Module. Vulnerable versions include Apache ActiveMQ versions before 5.18.3; 5.17.6 ActiveMQ Legacy OpenWire Module before 5.18.3 and before 5.17.6 The ASF assigned the vulnerability a maximum possible severity score of 10.0 on the CVSS scale and has released updated versions of the affected software. ASF has recommended that organizations using the technology upgrade to the fixed version to mitigate risk.
CVE-223-466604 is an
insecure deserialization
bug — a kind of vulnerability that happens when an application deserializes untrusted or manipulated data without first verifying if the data is valid. Adversaries often exploit such flaws by sending a malicious crafted object that, when deserialized, executes malicious or unauthorized code, leading to breaches and arbitrary code execution. Insecure deserialization bugs are common and have been a regular feature on OWASPs list of top 10 Web application vulnerability types for years.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attackers Target Max-Severity Apache ActiveMQ Bug to Drop Ransomware