Apache ActiveMQ RCE Exploited to Deploy LockBit and Linux Malware
Attackers are exploiting Apache ActiveMQ flaw CVE-2023-46604, an unauthenticated remote code execution bug in the OpenWire protocol caused by unsafe deserialization, to gain initial access to exposed brokers. Security reporting tied the vulnerability to real-world intrusions soon after disclosure, and later incidents showed it being used to compromise both Windows- and Linux-based environments. In one campaign, the access was leveraged to deploy LockBit ransomware after attackers obtained RDP access, underscoring how a broker compromise can quickly lead to broader domain or server takeover.
Separate investigations found Linux-focused post-exploitation activity in which intruders used the same ActiveMQ weakness to install a Sliver implant and a newly identified malware family, DripDropper, which relied on an attacker-controlled Dropbox account for command-and-control and persistence actions. Researchers reported attackers modifying SSH settings to enable root access, adding persistence through cron and SSH configuration changes, and even patching the vulnerable ActiveMQ service after entry to block rival attackers and reduce the chance of discovery. Although Apache released fixes in October 2023, vulnerable and delayed-to-patch deployments have remained exposed long enough to support continued exploitation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Report links ActiveMQ exploitation to LockBit deployment via RDP access
Cyberpress reported that exploitation of CVE-2023-46604 had been used to deploy LockBit ransomware, with attackers leveraging RDP access during the intrusion chain. This added ransomware deployment as a documented outcome of ActiveMQ compromise.
Red Canary observes Linux intrusions using CVE-2023-46604 and DripDropper
Red Canary observed attackers exploiting CVE-2023-46604 on dozens of Linux systems, deploying a newly identified malware family called DripDropper along with a Sliver implant. The intrusions also involved SSH configuration changes, cron-based persistence, and attackers patching the vulnerability after gaining access to reduce detection.
Oracle includes a fix for the ActiveMQ flaw in its products
Oracle did not ship a fix for affected products until January, extending exposure for some downstream users after Apache had already patched the issue. This delayed remediation contributed to the vulnerability remaining exploitable in the wild.
Rapid7 reports suspected in-the-wild exploitation of CVE-2023-46604
Rapid7 published research indicating suspected exploitation of CVE-2023-46604 shortly after disclosure, showing attackers were already targeting vulnerable Apache ActiveMQ servers. This marked the vulnerability's transition from disclosure to active threat activity.
Apache discloses and patches CVE-2023-46604 in ActiveMQ
Apache ActiveMQ disclosed CVE-2023-46604, an unbounded deserialization flaw in the OpenWire protocol that allows remote code execution, and released fixes for affected versions. The vulnerability was publicly documented on the oss-security mailing list.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Apache ActiveMQ Vulnerability Used To Deploy LockBit Ransomware via RDP Access
cyberpress.org
Open sourceApache ActiveMQ attackers patch critical vuln after entry
theregister.com
Open sourceSuspected Exploitation of Apache ActiveMQ CVE-2023-46604 | Rapid7 Blog
rapid7.com
Open sourceoss-security - CVE-2023-46604: Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack
openwall.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Exploitation of Managed File Transfer and Messaging Server Vulnerabilities for Remote Code Execution and Ransomware Deployment
Threat actors continue to prioritize internet-facing infrastructure that provides high-leverage initial access, with multiple reports highlighting **active exploitation of remote code execution (RCE) paths** in widely deployed services. A DFIR case study described attackers exploiting **Apache ActiveMQ** `CVE-2023-46604` by sending a crafted OpenWire command that forced the broker to load a remote Spring XML configuration, leading to payload retrieval via `certutil`, rapid privilege escalation to **SYSTEM**, credential dumping from **LSASS**, and eventual **LockBit** ransomware deployment via **RDP** after re-entry using previously stolen privileged credentials. Separately, incident-response reporting warned of ongoing exploitation against **Managed File Transfer (MFT)** products, including Gladinet *CentreStack* (an LFI issue `CVE-2025-11371` used in an exploit chain culminating in RCE, patched as `CVE-2025-30406`) and Fortra *GoAnywhere MFT* (`CVE-2025-10035`, improper deserialization leading to RCE), with observed activity linked to a threat group associated with **Medusa** ransomware. Broader telemetry and research reinforced that edge and externally exposed services remain the primary battleground for initial access at scale. GreyNoise reported nearly **3 billion** malicious sessions against edge infrastructure in 2H 2025, with heavy targeting of enterprise VPNs (notably **Palo Alto GlobalProtect**) and continued exploitation attempts for older issues such as `CVE-2020-2034`, alongside pervasive scanning of **SSH** and remote access services. In parallel, financially motivated and cybercrime-enabling ecosystems are improving their ability to reach victims: Varonis detailed **1Campaign**, a cloaking service that helps malicious **Google Ads** evade review by serving benign pages to scanners while directing real users to phishing/crypto-drainer content, and Have I Been Squatted documented **Diesel Vortex**, a logistics-focused credential-phishing operation using dozens of domains and an exposed backend repository to support industrialized theft. These trends align with reporting that attackers are increasingly using **AI-assisted social engineering and tooling** (including deepfakes and AI-generated phishing) and with law-enforcement actions such as Interpol-backed **Operation Red Card 2.0**, which resulted in **651 arrests** and $4.3M recovered from cyber-enabled fraud activity across 16 African countries.
Mar 21, 2026
Critical RCE Vulnerability in Apache ActiveMQ NMS AMQP Client
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-54539, has been discovered in the Apache ActiveMQ NMS AMQP Client. This flaw is rated with a CVSS 3.1 score of 9.8, indicating its severe impact and ease of exploitation. The vulnerability arises from the deserialization of untrusted data within the NMS AMQP Client component, which can allow attackers to execute arbitrary code on the server. Security researchers have confirmed that successful exploitation of this vulnerability could lead to full server-side code execution, potentially granting attackers complete control over affected systems. The issue specifically affects deployments using the NMS AMQP Client, a component commonly integrated into enterprise messaging infrastructures. Organizations relying on Apache ActiveMQ for message brokering are at heightened risk if they utilize the vulnerable client library. The vulnerability can be exploited remotely, requiring no prior authentication, which significantly increases the attack surface and urgency for remediation. Security advisories recommend immediate patching or mitigation to prevent exploitation in the wild. The flaw was publicly disclosed on October 16, 2025, prompting rapid response from the Apache ActiveMQ development team and the broader security community. No reports of active exploitation have been confirmed at the time of disclosure, but the critical nature of the bug has led to widespread concern among enterprise users. Technical analysis indicates that the vulnerability stems from improper handling of serialized objects received over the AMQP protocol. Attackers can craft malicious payloads that, when processed by the vulnerable client, trigger arbitrary code execution. The Apache Software Foundation has released updated versions of the NMS AMQP Client to address the issue and urges all users to upgrade immediately. Security experts highlight the importance of reviewing all systems for the presence of the affected library and applying compensating controls where patching is not immediately feasible. The vulnerability underscores the ongoing risks associated with deserialization flaws in widely used open-source components. Organizations are advised to monitor for indicators of compromise and to review their application architectures for similar risks. The incident serves as a reminder of the critical need for secure coding practices and regular vulnerability management in enterprise environments.
Mar 21, 2026
Apache ActiveMQ Jolokia Flaws Enable Zero-Credential Remote Code Execution
Active exploitation has been observed against an Apache ActiveMQ remote code execution chain involving the Jolokia management API. VulnCheck reported canary-network hits tied to `CVE-2026-34197`, which was added to CISA's Known Exploited Vulnerabilities catalog, and said attackers are also using an unauthenticated variant that chains `CVE-2024-32114` with `CVE-2026-34197` to achieve zero-credential RCE. According to the reporting, `CVE-2024-32114` removes authentication from the Jolokia endpoint in ActiveMQ versions `6.0.0` through `6.1.1`, exposing the management interface to unauthenticated abuse. Technical details published by Horizon3.ai describe the RCE path through the Jolokia API, while VulnCheck said observed payloads invoked `addNetworkConnector` through Jolokia during exploitation. One captured payload referenced a private IP address, indicating the attacker activity may have reused a lab or proof-of-concept configuration, but the exploitation itself was confirmed in the wild. The combined reporting indicates that exposed ActiveMQ instances with vulnerable Jolokia configurations face immediate risk of unauthenticated remote compromise.
Jun 1, 2026