Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

[CVSS 10] Critical Apache Vulnerability Exploited in Ransomware Attacks

Executive Summary

More than 3,000 Internet-accessible Apache ActiveMQ Servers are exposed to a critical remote code execution vulnerability that is leading to ransomware attacks. An attacker has begun actively targeting to drop ransomware. The Apache Software Foundation (ASF) disclosed the vulnerability, tracked as CVE-2023-46604, on Oct. 27. It has a CVSS score of 10 identified by the ASF.

The ASF has already issued patches to address this critical vulnerability. Organisations using Apache ActiveMQ servers are urged to apply these patches to protect their systems.

About the Vulnerability

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ, an open-source message broker. This vulnerability allows a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol, causing the broker to instantiate any class on the classpath.

Proof-of-concept exploit code and full details of the vulnerability are publicly available, meaning that threat actors have both the means and the information to launch attacks against the vulnerability.

Researchers at Rapid7 reported observing exploit activity targeting the flaw at two customer locations, starting the same day that ASF disclosed the threat.

In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations

researchers from Rapid7’s managed detection and response team said in a blog post.

They described both targeted organisations as running outdated versions of Apache ActiveMQ.

The researchers attributed the malicious activity to the HelloKitty ransomware family, based on the ransom note and other attack attributes. HelloKitty ransomware has been percolating in the wild since at least 2020. Its operators have tended to favor double-extortion attacks in which they have not just encrypted the data but also stolen it as additional leverage for extracting a ransom from victims.

The HelloKitty ransomware attacks exploiting the ActiveMQ flaw seemed rather basic. In one instance, the threat actor attempted to encrypt the data over half a dozen times. This led the researchers to describe the threat actor as “clumsy” in their report.

For detailed information about the vulnerability, including affected S/W versions, fixed versions, indicators of compromise and mitigation guidance, please refer to the Rapid 7’s blog post.


To safeguard against CVE-2023-46604, the following measures are suggested:

  1. Upgrade to the most recent version of Apache ActiveMQ which contains the vulnerability fix.
  2. Conduct a network scan for potential compromise indicators, given that this vulnerability has been exploited by attackers to disseminate ransomware.
  3. Undertake continuous environmental monitoring for abnormal activities, for instance, attempts to upload remote binaries via the Windows Installer (msiexec).
  4. Apply network segmentation as a preventive measure to minimise the potential impact of an attack.
  5. Consider the utilisation of intrusion detection and prevention systems to identify and block any attacks exploiting this vulnerability.
  6. Stay informed of emerging threats and vulnerabilities by keeping abreast of updates from reputable security blogs and news sources. There are other news related to ransomware attacks here.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.