CVE-2025-66168
Published: 04 March 2026
Summary
CVE-2025-66168 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Apache Activemq. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow in network-exposed MQTT handler enables remote exploitation of the broker service after auth, directly matching T1190.
NVD Description
WARNING: Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releases. See the following for more details: https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt https://www.cve.org/CVERecord?id=CVE-2026-40046 Original Report: Apache ActiveMQ does not properly validate the remaining length field which…
more
may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted. This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.
Deeper analysisAI
CVE-2025-66168 is an integer overflow vulnerability (CWE-190) in Apache ActiveMQ's MQTT protocol handling, stemming from improper validation of the remaining length field during decoding of malformed packets. This causes the broker to incorrectly compute the total remaining length and misinterpret the payload as multiple MQTT control packets, violating the MQTT v3.1.1 specification's restriction of the field to a maximum of 4 bytes. The issue affects Apache ActiveMQ versions before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0, occurring only on established connections after authentication and solely impacting brokers with enabled MQTT transport connectors.
Attackers with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity and no user interaction required. By connecting as an authenticated client and sending crafted malformed MQTT packets, they trigger the integer overflow, leading to unexpected broker behavior when processing non-compliant payloads. This results in limited confidentiality and integrity impacts (C:L/I:L/A:N), with an overall CVSS v3.1 base score of 5.4, but no availability disruption.
Apache ActiveMQ security advisories recommend upgrading to fixed versions 5.19.2, 6.1.9, or 6.2.1 to mitigate the issue. A specific warning notes that 6.x users should upgrade to 6.2.4 or later, as the fix was missed in prior 6.x releases. Brokers without MQTT transport connectors remain unaffected. Additional details are available in the official announcement at https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt and related CVE record at https://www.cve.org/CVERecord?id=CVE-2026-40046.
Details
- CWE(s)