Cyber Resilience

CVE-2025-54539

CriticalRCE

Published: 16 October 2025

Published
16 October 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0131 80.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54539 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Activemq Nms Amqp. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 19.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2025-54539 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Apache ActiveMQ NMS AMQP Client. It affects all versions up to and including 2.3.0, specifically when the client establishes connections to untrusted AMQP servers. The flaw stems from unbounded deserialization logic in the client, which malicious servers can exploit by crafting responses that lead to arbitrary code execution on the client side. Although version 2.1.0 introduced allow/deny lists to restrict deserialization, this protection is bypassable under certain conditions. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An attacker controlling an untrusted AMQP server can exploit this issue against clients connecting to it. No special privileges or user interaction are required, enabling remote exploitation over the network with low complexity. Successful exploitation allows arbitrary code execution on the victim's machine, potentially leading to full compromise of the client system.

Advisories recommend upgrading to version 2.4.0 or later, which resolves the vulnerability. As a long-term hardening strategy, projects using NMS-AMQP should migrate away from .NET binary serialization, aligning with Microsoft’s deprecation of it in .NET 9; the project is evaluating its full removal from the NMS API in future releases. Details are available in the Apache announcement at https://lists.apache.org/thread/9k684j07ljrshy3hxwhj5m0xjmkz1g2n and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2025/10/15/3.

EU & UK References

Vulnerability details

A Deserialization of Untrusted Data vulnerability exists in the Apache ActiveMQ NMS AMQP Client. This issue affects all versions of Apache ActiveMQ NMS AMQP up to and including 2.3.0, when establishing connections to untrusted AMQP servers. Malicious servers could exploit…

more

unbounded deserialization logic present in the client to craft responses that may lead to arbitrary code execution on the client side. Although version 2.1.0 introduced a mechanism to restrict deserialization via allow/deny lists, the protection was found to be bypassable under certain conditions. In line with Microsoft’s deprecation of binary serialization in .NET 9, the project is evaluating the removal of .NET binary serialization support from the NMS API entirely in future releases. Mitigation and Recommendations: Users are strongly encouraged to upgrade to version 2.4.0 or later, which resolves the issue. Additionally, projects depending on NMS-AMQP should migrate away from .NET binary serialization as part of a long-term hardening strategy.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The deserialization vulnerability in the AMQP client enables remote arbitrary code execution when connecting to malicious servers, directly facilitating Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-45360Same vendor: Apache
CVE-2026-35337Same vendor: Apache
CVE-2026-42778Same vendor: Apache
CVE-2026-40473Same vendor: Apache
CVE-2025-26866Same vendor: Apache
CVE-2026-33858Same vendor: Apache
CVE-2026-33454Same vendor: Apache
CVE-2025-61622Same vendor: Apache
CVE-2026-42359Same vendor: Apache
CVE-2024-54676Same vendor: Apache

Affected Assets

apache
activemq nms amqp
≤ 2.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the deserialization vulnerability by requiring timely flaw remediation through upgrading Apache ActiveMQ NMS AMQP to version 2.4.0 or later.

prevent

Addresses deserialization of untrusted data from malicious AMQP servers by enforcing validation of information inputs prior to processing.

detect

Enables detection of the CVE-2025-54539 vulnerability in the Apache ActiveMQ NMS AMQP client through ongoing vulnerability scanning and monitoring.

References