CVE-2023-46604

CVE Database · CVE-2023-46604

CVE-2023-46604

· CRITICALAnalyzed

CVSS v3.1

10.0

EPSS

99.65%

Published

Oct 27, 2023

Modified

Nov 4, 2025

CISA Known Exploited Vulnerability

Added: 2023-11-02 · Due: 2023-11-23

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (9)

All weaponized →

TrickestTrickest PoC index GitHub PoCSaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ★127 GitHub PoCCatherines77/ActiveMQ-EXPtools★78 GitHub PoCArlenhiack/ActiveMQ-RCE-Exploit★44 GitHub PoCevkl1d/CVE-2023-46604★40 GitHub PoCtrganda/ActiveMQ-RCE★29 GitHub PoCduck-sec/CVE-2023-46604-ActiveMQ-RCE-pseudoshell★18 GitHub PoCjustdoit-cai/CVE-2023-46604-Apache-ActiveMQ-RCE-exp★5 GitHub PoCvulncheck-oss/cve-2023-46604★4

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

Weaknesses (CWE)

CWE-502

Affected Products (13)

apache · activemq (up to 5.15.16)vulnerable

apache · activemq (up to 5.16.7)vulnerable

apache · activemq (up to 5.17.6)vulnerable

apache · activemq (up to 5.18.3)vulnerable

apache · activemq_legacy_openwire_module (up to 5.15.16)vulnerable

apache · activemq_legacy_openwire_module (up to 5.16.7)vulnerable

apache · activemq_legacy_openwire_module (up to 5.17.6)vulnerable