{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/activemq-nms-amqp-client--v2.3.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:apache:activemq_nms_amqp:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-54539"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ActiveMQ NMS AMQP Client \u003c= v2.3.0"],"_cs_severities":["critical"],"_cs_tags":["deserialization","rce","activemq","cve-2025-54539","windows"],"_cs_type":"threat","_cs_vendors":["Apache"],"content_html":"\u003cp\u003eApache ActiveMQ NMS AMQP Client, a .NET messaging library, is vulnerable to a critical deserialization of untrusted data vulnerability (CVE-2025-54539). An attacker controlling or impersonating an AMQP broker can send maliciously crafted serialized data to the client. The Apache ActiveMQ NMS AMQP Client deserializes this data unsafely, leading to arbitrary code execution on the client system. This vulnerability affects all NMS AMQP releases up to and including version 2.3.0. A proof-of-concept exploit is publicly available, increasing the risk of exploitation. Successful exploitation can lead to full compromise of confidentiality, integrity, and availability of the client system. It is fixed in version 2.4.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains control of, or impersonates, an AMQP broker.\u003c/li\u003e\n\u003cli\u003eThe .NET application using the vulnerable Apache ActiveMQ NMS AMQP Client initiates a connection to the malicious or compromised AMQP broker.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a malicious AMQP message containing a crafted serialized object to the client.\u003c/li\u003e\n\u003cli\u003eThe client receives the malicious AMQP message from the broker.\u003c/li\u003e\n\u003cli\u003eThe Apache ActiveMQ NMS AMQP Client attempts to deserialize the received data using .NET binary deserialization.\u003c/li\u003e\n\u003cli\u003eDue to insufficient validation, the malicious serialized object triggers the instantiation of arbitrary classes and execution of associated code paths during deserialization.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution (RCE) in the context of the client process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control over the compromised system, enabling activities such as data exfiltration, malware installation, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-54539 allows a remote attacker to execute arbitrary code on a vulnerable system running the Apache ActiveMQ NMS AMQP Client. This can lead to a complete compromise of the affected system, including loss of confidentiality, integrity, and availability. Given the messaging library\u0026rsquo;s role, a successful attack could disrupt critical business processes relying on AMQP communication. Due to the availability of a public PoC, the risk of exploitation is elevated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Apache ActiveMQ NMS AMQP Client version 2.4.0 or later to patch CVE-2025-54539.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to unusual or suspicious AMQP brokers, and implement network segmentation to restrict connections to trusted brokers only.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent execution of unauthorized binaries, limiting the impact of potential RCE.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring and logging to detect suspicious process creation events that may indicate successful exploitation of CVE-2025-54539.\u003c/li\u003e\n\u003cli\u003eAs a long-term hardening strategy, migrate away from .NET binary serialization, as recommended by Apache.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious ActiveMQ NMS AMQP Client Deserialization\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T19:03:21Z","date_published":"2026-05-27T19:03:21Z","id":"https://feed.craftedsignal.io/briefs/2026-05-activemq-deserialization/","summary":"A critical deserialization of untrusted data vulnerability (CVE-2025-54539) exists in Apache ActiveMQ NMS AMQP Client \u003c= v2.3.0, where an attacker controlling or impersonating an AMQP broker can send malicious serialized data that the client deserializes unsafely, allowing arbitrary code execution on the client system.","title":"Critical Deserialization Vulnerability in Apache ActiveMQ NMS AMQP Client (CVE-2025-54539)","url":"https://feed.craftedsignal.io/briefs/2026-05-activemq-deserialization/"}],"language":"en","title":"CraftedSignal Threat Feed — ActiveMQ NMS AMQP Client \u003c= V2.3.0","version":"https://jsonfeed.org/version/1.1"}