{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3aapacheactivemq_artemis/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:apache:activemq_artemis:*:*:*:*:*:*:*:*","cpe:2.3:a:apache:artemis:2.50.0:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-27446"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Opcenter RDnL","ActiveMQ Artemis"],"_cs_severities":["high"],"_cs_tags":["cve","vulnerability","siemens","activemq"],"_cs_type":"advisory","_cs_vendors":["Siemens","Apache"],"content_html":"\u003cp\u003eSiemens Opcenter RDnL is affected by a missing authentication vulnerability (CVE-2026-27446) within the ActiveMQ Artemis component. This vulnerability allows an unauthenticated attacker within the adjacent network to exploit the Core protocol. By doing so, the attacker can force a targeted broker to establish an outbound Core federation connection to a malicious, attacker-controlled broker. This could result in availability impacts due to disruption of service and potentially message injection into queues via the rogue broker, leading to data integrity issues within the Opcenter RDnL environment. The advisory recommends updating to Apache Artemis version 2.52.0 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Siemens Opcenter RDnL instance with exposed ActiveMQ Artemis.\u003c/li\u003e\n\u003cli\u003eAttacker establishes a network connection to the targeted ActiveMQ Artemis broker using the Core protocol.\u003c/li\u003e\n\u003cli\u003eAttacker sends a crafted Core protocol message to the target broker.\u003c/li\u003e\n\u003cli\u003eThe crafted message forces the target broker to initiate an outbound Core federation connection to the attacker\u0026rsquo;s rogue broker.\u003c/li\u003e\n\u003cli\u003eThe target broker establishes a connection to the attacker-controlled rogue broker.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious messages into queues managed by the rogue broker.\u003c/li\u003e\n\u003cli\u003eThe rogue broker forwards the injected messages into the target Opcenter RDnL system via the established federation.\u003c/li\u003e\n\u003cli\u003eThe injected messages compromise data integrity and potentially disrupt operations, leading to availability impacts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-27446 can lead to message injection and exfiltration, potentially impacting the availability and integrity of Siemens Opcenter RDnL. Given the deployment of Opcenter RDnL in critical manufacturing sectors worldwide, a successful attack could disrupt production processes, compromise product quality, and result in significant financial losses. The vulnerability is rated with a CVSS v3 score of 7.1, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-provided fix by upgrading to Apache Artemis version 2.52.0 or later, as recommended in the advisory to remediate CVE-2026-27446.\u003c/li\u003e\n\u003cli\u003eImplement a Core interceptor to deny all Core downstream federation connect packets, specifically packets with a type of (int) -16 or (byte) 0xfffffff0, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Outbound Core Protocol Connection\u0026rdquo; to identify potential exploitation attempts of CVE-2026-27446 by monitoring for outbound connections using the Core protocol.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T15:03:31Z","date_published":"2026-05-14T15:03:31Z","id":"https://feed.craftedsignal.io/briefs/2026-05-siemens-opcenter-rce/","summary":"Siemens Opcenter RDnL is vulnerable to missing authentication in critical function (CVE-2026-27446), where an unauthenticated attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker, potentially leading to availability impacts and message injection.","title":"Siemens Opcenter RDnL Missing Authentication Vulnerability (CVE-2026-27446)","url":"https://feed.craftedsignal.io/briefs/2026-05-siemens-opcenter-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:apache:activemq_artemis:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}