Dangerous Apache ActiveMQ Exploit Allows Stealthy EDR Bypass

Theres no time to waste: For organizations on the fence about patching the critical bug in ActiveMQ, the new proof-of-concept exploit should push them towards action.

A fresh proof-of-concept (PoC) exploit for a critical security vulnerability in Apache ActiveMQ is making it easier than ever to achieve remote code execution (RCE) on servers running the open source message broker — avoiding notice while doing so.
The max-severity bug (CVE-2023-46604, CVSS score of 10) allows unauthenticated threat actors to run arbitrary shell commands, and it was patched by Apache late last month. Nonetheless, thousands of organizations remain vulnerable, a state of affairs that the
HelloKitty ransomware gang
and others have taken full advantage of.
While attacks have so far relied on a public PoC released shortly after the flaws disclosure, researchers at VulnCheck said this week that theyve engineered a more elegant exploit — one that cuts down on intruder noise by launching attacks from memory.
That means the threat actors could have avoided dropping their tools to disk, according to
VulnChecks post detailing the new ActiveMQ exploit
. They could have just written their encryptor in Nashorn (or loaded a class/JAR into memory) and remained memory-resident, perhaps avoiding detection from … managed [endpoint detection and response] EDR teams.
While attackers would need to delete any incriminating log messages in the activemq.log to fully cover their tracks, the VulnCheck PoC is still a significant improvement when it comes to making any attacks against the vulnerability stealthier, according to Matt Kiely, principal security researcher at Huntress.
The proof of concept from VulnCheck is a marked evolution from the previous public PoCs, which generally relied on using the shell of the exploited system to execute code, he says, adding that the Huntress team confirmed that the new technique indeed works as advertised.
Further, this specific attack is trivial to exploit if an attacker can access the vulnerable instance of ActiveMQ, he says, adding that more evolutions and improvements in exploit development are sure to come.
Thus, admins
should be patching
CVE-2023-46604 immediately, or removing the servers from the Internet. Its also important to be aware that the risk from an attack stretches well beyond ransomware, Kiely adds.
Potential results of exploitation [include] techniques like account access removal, data destruction, defacement, resource hijacking, and many others, he explains. Attackers may even elect to do nothing at all and simply wait on an exploited server to stage further attacks — something, it should be noted, that the silent VulnCheck PoC can more easily enable.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Dangerous Apache ActiveMQ Exploit Allows Stealthy EDR Bypass