CVE-2025-54539
Published: 16 October 2025
Summary
CVE-2025-54539 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Activemq Nms Amqp. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 22.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the deserialization vulnerability by requiring timely flaw remediation through upgrading Apache ActiveMQ NMS AMQP to version 2.4.0 or later.
Addresses deserialization of untrusted data from malicious AMQP servers by enforcing validation of information inputs prior to processing.
Enables detection of the CVE-2025-54539 vulnerability in the Apache ActiveMQ NMS AMQP client through ongoing vulnerability scanning and monitoring.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The deserialization vulnerability in the AMQP client enables remote arbitrary code execution when connecting to malicious servers, directly facilitating Exploitation for Client Execution (T1203).
NVD Description
A Deserialization of Untrusted Data vulnerability exists in the Apache ActiveMQ NMS AMQP Client. This issue affects all versions of Apache ActiveMQ NMS AMQP up to and including 2.3.0, when establishing connections to untrusted AMQP servers. Malicious servers could exploit…
more
unbounded deserialization logic present in the client to craft responses that may lead to arbitrary code execution on the client side. Although version 2.1.0 introduced a mechanism to restrict deserialization via allow/deny lists, the protection was found to be bypassable under certain conditions. In line with Microsoft’s deprecation of binary serialization in .NET 9, the project is evaluating the removal of .NET binary serialization support from the NMS API entirely in future releases. Mitigation and Recommendations: Users are strongly encouraged to upgrade to version 2.4.0 or later, which resolves the issue. Additionally, projects depending on NMS-AMQP should migrate away from .NET binary serialization as part of a long-term hardening strategy.
Deeper analysisAI
CVE-2025-54539 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Apache ActiveMQ NMS AMQP Client. It affects all versions up to and including 2.3.0, specifically when the client establishes connections to untrusted AMQP servers. The flaw stems from unbounded deserialization logic in the client, which malicious servers can exploit by crafting responses that lead to arbitrary code execution on the client side. Although version 2.1.0 introduced allow/deny lists to restrict deserialization, this protection is bypassable under certain conditions. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An attacker controlling an untrusted AMQP server can exploit this issue against clients connecting to it. No special privileges or user interaction are required, enabling remote exploitation over the network with low complexity. Successful exploitation allows arbitrary code execution on the victim's machine, potentially leading to full compromise of the client system.
Advisories recommend upgrading to version 2.4.0 or later, which resolves the vulnerability. As a long-term hardening strategy, projects using NMS-AMQP should migrate away from .NET binary serialization, aligning with Microsoft’s deprecation of it in .NET 9; the project is evaluating its full removal from the NMS API in future releases. Details are available in the Apache announcement at https://lists.apache.org/thread/9k684j07ljrshy3hxwhj5m0xjmkz1g2n and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2025/10/15/3.
Details
- CWE(s)