Cyber Resilience

CVE-2023-46604

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 27 October 2023

Published
27 October 2023
Modified
04 November 2025
KEV Added
02 November 2023
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
EPSS Score 0.9444 100.0th percentile
Risk Priority 97 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-46604 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Activemq. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2023-46604 affects the Java OpenWire protocol marshaller in Apache ActiveMQ brokers and clients. It stems from unsafe deserialization of class types that permits an attacker to instantiate arbitrary classes present on the classpath, resulting in remote code execution with a CVSS score of 10.0 and classification under CWE-502.

A remote attacker with network access to either an OpenWire broker or client can exploit the flaw by sending crafted serialized payloads over the protocol. Successful exploitation allows execution of arbitrary shell commands on the target system, with the attack surface extending bidirectionally between clients and brokers.

Official advisories from the Apache ActiveMQ project and downstream vendors such as Debian and NetApp direct users to upgrade both brokers and clients to versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3. Additional references include public exploit code and coordinated disclosure notifications that reinforce the same patching guidance.

The associated EPSS score has remained at a high level, with a current value of 0.9444 and a recorded peak of 0.9731, consistent with sustained exploitation interest following public release of proof-of-concept material.

EU & UK References

Vulnerability details

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in…

more

the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

CWE(s)
KEV Date Added
02 November 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
activemq
≤ 5.15.16 · 5.16.0 — 5.16.7 · 5.17.0 — 5.17.6
apache
activemq legacy openwire module
≤ 5.15.16 · 5.16.0 — 5.16.7 · 5.17.0 — 5.17.6
debian
debian linux
10.0, 11.0
netapp
e-series santricity unified manager
all versions
netapp
e-series santricity web services proxy
all versions
netapp
santricity storage plugin
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the unsafe deserialization of attacker-supplied OpenWire class-type objects before instantiation occurs.

prevent

Requires prompt application of the vendor-supplied patches (5.15.16/5.16.7/5.17.6/5.18.3) that eliminate the vulnerable marshaller.

preventdetect

Verifies integrity of ActiveMQ binaries and configuration to ensure only patched, untampered code handles OpenWire traffic.

References