critical threat February 25, 2026

Active Exploitation of Apache ActiveMQ RCE Vulnerability (CVE-2023-46604)

CVE-2023-46604 is a remote code execution vulnerability affecting Apache ActiveMQ that is actively exploited in the wild by ransomware operators, allowing remote attackers to execute arbitrary shell commands.

CVE-2023-46604 is a critical remote code execution (RCE) vulnerability affecting Apache ActiveMQ message brokers. This vulnerability allows a remote attacker with network access to the ActiveMQ broker to execute arbitrary shell commands by manipulating serialized class types within the OpenWire protocol. The vulnerability affects Apache ActiveMQ versions 5.16.0 before 5.16.7, 5.17.0 before 5.17.6, 5.18.0 before 5.18.3, and before 5.15.16, as well as corresponding versions of the Legacy OpenWire…

Detection coverage 2

Detect Suspicious ActiveMQ OpenWire Traffic

high

Detects network connections to ActiveMQ brokers using the OpenWire protocol with unusual data patterns indicative of exploitation attempts of CVE-2023-46604.

sigma tactics: execution, initial_access techniques: T1059.004, T1190 sources: network_connection, zeek

Detect Suspicious Process Execution from ActiveMQ

critical

Detects processes spawned by the ActiveMQ service that are uncommon or known to be malicious, indicating potential RCE exploitation.

sigma tactics: execution techniques: T1059.004 sources: process_creation, linux

Detection queries are kept inside the platform. Get full rules →