CVE-2023-46604: Apache ActiveMQ RCE Exploited in the Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting Apache ActiveMQ to its Known Exploited Vulnerabilities (KEV) catalog. According to BleepingComputer, this flaw is currently being leveraged by threat actors to execute arbitrary code on vulnerable servers, often leading to the deployment of Ransomware.

Technical Analysis of CVE-2023-46604

CVE-2023-46604 is a high-impact RCE vulnerability that resides in the OpenWire protocol implementation of Apache ActiveMQ. The CVE stems from an issue with how the application handles unmarshalling of data within the BaseDataStreamMarshaller class. Specifically, the vulnerability allows a remote attacker to manipulate the class name passed to the marshaller, causing the application to instantiate any class available on the classpath.

When an attacker sends a specially crafted packet over the OpenWire protocol (typically on port 61616), they can force the ActiveMQ broker to execute malicious commands. Because the application does not properly validate the exception types being unmarshalled, it can be coerced into loading a remote XML configuration file that contains instructions for command execution. This TTP is particularly effective because it bypasses many traditional perimeter defenses that do not inspect serialized traffic protocols like OpenWire.

How to Detect CVE-2023-46604 Exploit Activity

To effectively monitor for signs of compromise, security teams should focus on identifying unusual network connections and process spawning from the Java executable associated with ActiveMQ. A primary IoC involves the Java process attempting to retrieve an external XML file via HTTP or HTTPS, which is then used to trigger the exploit. Defenders should analyze SIEM logs for outbound connections from ActiveMQ brokers to unknown or suspicious IP addresses.

Additionally, EDR telemetry may reveal the java.exe or java process spawning shell interpreters like cmd.exe or /bin/sh. Monitoring for these parent-child process relationships is a high-fidelity method for detecting successful exploitation in real-time. Organizations should also audit their environment for the presence of the HelloKitty or TellYouThePass ransomware strains, as both have been observed utilizing this vulnerability for initial access and Lateral Movement.

Exploitation in the Wild and Impact

The CVSS score of 10.0 reflects the ease with which an unauthenticated attacker can gain full control over the message broker. Since Apache ActiveMQ is a widely used open-source message broker in enterprise environments, the potential surface area for attack is significant. Once an attacker achieves RCE, they can deploy C2 frameworks, exfiltrate sensitive data, or encrypt files. CISA’s inclusion of this flaw in the KEV catalog mandates that federal agencies prioritize the Apache ActiveMQ 5.18.2 RCE patch or relevant updates for their specific branch.

Mitigation and Remediation Steps

The primary method to mitigate CVE-2023-46604 exploitation is to update the ActiveMQ broker to a version where the marshalling logic has been secured. The following versions contain the necessary fixes:

• Apache ActiveMQ 5.18.3 or later
• Apache ActiveMQ 5.17.6 or later
• Apache ActiveMQ 5.16.7 or later
• Apache ActiveMQ 5.15.16 or later

For organizations unable to patch immediately, it is vital to restrict access to the OpenWire port (61616) using firewall rules or a Zero Trust architecture. Only trusted internal IP addresses should be permitted to communicate with the broker. Furthermore, implementing a MITRE ATT&CK based detection strategy that monitors for ‘Exploit Public-Facing Application’ (T1190) can help SOC analysts identify and respond to breach attempts before full-scale encryption occurs.