Cyber Resilience

CVE-2023-33246

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 24 May 2023

Published
24 May 2023
Modified
23 October 2025
KEV Added
06 September 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9439 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33246 is a critical-severity Code Injection (CWE-94) vulnerability in Apache Rocketmq. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2023-33246 is a remote code execution vulnerability affecting Apache RocketMQ versions 5.1.0 and earlier. It stems from exposed NameServer, Broker, and Controller components that lack authentication and authorization checks, combined with an unauthenticated update configuration function and the ability to forge RocketMQ protocol messages. The flaw is classified under CWE-94 and carries a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker who can reach the affected components over the network can invoke the configuration update mechanism or craft malicious protocol packets to execute arbitrary commands with the privileges of the user running RocketMQ. This grants full control over the message-broker processes and any data or systems they can access.

Apache advisories and the referenced OSS-Security disclosure recommend immediate upgrade to RocketMQ 5.1.1 or newer for the 5.x branch and 4.9.6 or newer for the 4.x branch. Public exploit code has been posted to Packet Storm, and the vulnerability appears on the oss-security mailing list.

The associated EPSS score remains persistently high, with a current value of 0.9439 and a recorded peak of 0.9736.

EU & UK References

Vulnerability details

For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this…

more

vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content. To prevent these attacks, users are recommended to upgrade to version 5.1.1 or above for using RocketMQ 5.x or 4.9.6 or above for using RocketMQ 4.x .

CWE(s)
KEV Date Added
06 September 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
rocketmq
≤ 4.9.6 · 5.0.0 — 5.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks on NameServer/Broker/Controller updateConfig and protocol handlers, blocking the unauthenticated command execution path.

prevent

Requires boundary protection devices and deny-by-default policies so that RocketMQ components are never reachable from the extranet without explicit, controlled interfaces.

AC-17 Remote Access partial match
prevent

Mandates authorization, encryption, and monitoring for all remote access to RocketMQ services, eliminating the open extranet exposure that enables the attack.

References