Cve-2025-54539 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2025-54539/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 27 May 2026 19:03:21 +0000Critical Deserialization Vulnerability in Apache ActiveMQ NMS AMQP Client (CVE-2025-54539)https://feed.craftedsignal.io/briefs/2026-05-activemq-deserialization/Wed, 27 May 2026 19:03:21 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-activemq-deserialization/A critical deserialization of untrusted data vulnerability (CVE-2025-54539) exists in Apache ActiveMQ NMS AMQP Client <= v2.3.0, where an attacker controlling or impersonating an AMQP broker can send malicious serialized data that the client deserializes unsafely, allowing arbitrary code execution on the client system.Apache ActiveMQ NMS AMQP Client, a .NET messaging library, is vulnerable to a critical deserialization of untrusted data vulnerability (CVE-2025-54539). An attacker controlling or impersonating an AMQP broker can send maliciously crafted serialized data to the client. The Apache ActiveMQ NMS AMQP Client deserializes this data unsafely, leading to arbitrary code execution on the client system. This vulnerability affects all NMS AMQP releases up to and including version 2.3.0. A proof-of-concept exploit is publicly available, increasing the risk of exploitation. Successful exploitation can lead to full compromise of confidentiality, integrity, and availability of the client system. It is fixed in version 2.4.0.

Attack Chain

  1. The attacker gains control of, or impersonates, an AMQP broker.
  2. The .NET application using the vulnerable Apache ActiveMQ NMS AMQP Client initiates a connection to the malicious or compromised AMQP broker.
  3. The attacker sends a malicious AMQP message containing a crafted serialized object to the client.
  4. The client receives the malicious AMQP message from the broker.
  5. The Apache ActiveMQ NMS AMQP Client attempts to deserialize the received data using .NET binary deserialization.
  6. Due to insufficient validation, the malicious serialized object triggers the instantiation of arbitrary classes and execution of associated code paths during deserialization.
  7. The attacker achieves remote code execution (RCE) in the context of the client process.
  8. The attacker gains full control over the compromised system, enabling activities such as data exfiltration, malware installation, or further lateral movement.

Impact

Successful exploitation of CVE-2025-54539 allows a remote attacker to execute arbitrary code on a vulnerable system running the Apache ActiveMQ NMS AMQP Client. This can lead to a complete compromise of the affected system, including loss of confidentiality, integrity, and availability. Given the messaging library’s role, a successful attack could disrupt critical business processes relying on AMQP communication. Due to the availability of a public PoC, the risk of exploitation is elevated.

Recommendation

  • Upgrade to Apache ActiveMQ NMS AMQP Client version 2.4.0 or later to patch CVE-2025-54539.
  • Monitor network traffic for connections to unusual or suspicious AMQP brokers, and implement network segmentation to restrict connections to trusted brokers only.
  • Implement application whitelisting to prevent execution of unauthorized binaries, limiting the impact of potential RCE.
  • Enable process monitoring and logging to detect suspicious process creation events that may indicate successful exploitation of CVE-2025-54539.
  • As a long-term hardening strategy, migrate away from .NET binary serialization, as recommended by Apache.
  • Deploy the Sigma rule “Detect Suspicious ActiveMQ NMS AMQP Client Deserialization” to your SIEM and tune for your environment.
]]>criticalthreatdeserializationrceactivemqcve-2025-54539windows