New PoC Exploit for Apache ActiveMQ Flaw Could Let Attackers Fly Under the Radar

Cyber Security

Nov 15, 2023NewsroomRansomware / Vulnerability

Cybersecurity researchers have demonstrated a new technique that exploits a critical security flaw in Apache ActiveMQ to achieve arbitrary code execution in memory.

Tracked as CVE-2023-46604 (CVSS score: 10.0), the vulnerability is a remote code execution bug that could permit a threat actor to run arbitrary shell commands.

It was patched by Apache in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.


The vulnerability has since come under active exploitation by ransomware outfits to deploy ransomware such as HelloKitty and a strain that shares similarities with TellYouThePass as well as a remote access trojan called SparkRAT.

According to new findings from VulnCheck, threat actors weaponizing the flaw are relying on a public proof-of-concept (PoC) exploit originally disclosed on October 25, 2023.

The attacks have been found to use ClassPathXmlApplicationContext, a class that’s part of the Spring framework and available within ActiveMQ, to load a malicious XML bean configuration file over HTTP and achieve unauthenticated remote code execution on the server.


VulnCheck, which characterized the method as noisy, said it was able to engineer a better exploit that relies on the FileSystemXmlApplicationContext class and embeds a specially crafted SpEL expression in place of the “init-method” attribute to achieve the same results and even obtain a reverse shell.

“That means the threat actors could have avoided dropping their tools to disk,” VulnCheck said. “They could have just written their encryptor in Nashorn (or loaded a class/JAR into memory) and remained memory resident.”

However, it’s worth noting that doing so triggers an exception message in the activemq.log file, necessitating that the attackers also take steps to clean up the forensic trail.

“Now that we know attackers can execute stealthy attacks using CVE-2023-46604, it’s become even more important to patch your ActiveMQ servers and, ideally, remove them from the internet entirely,” Jacob Baines, chief technology officer at VulnCheck, said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Iran-Linked UNC1549 Hackers Target Middle East Aerospace & Defense Sectors
AI Models in India Will Require MeitY Approval, Government Says in Advisory: Report
Oppo F25 Pro 5G With Dimensity 7050 SoC, 67W SuperVOOC Charging Launched in India: Price, Specifications
iPhone XR, iPhone XS Max, iPhone XS Could Receive Apple’s iOS 18 Update
Xiaomi 15 Series Could Feature an In-Display Ultrasonic Fingerprint Sensor: Report

Leave a Reply

Your email address will not be published. Required fields are marked *