CISA Confirms Active Exploitation of Decade-Old ActiveMQ Vulnerability
The Cybersecurity and Infrastructure Security Agency added CVE-2023-46604 to its Known Exploited Vulnerabilities catalog on April 16, 2026, confirming that attackers are actively exploiting a critical remote code execution flaw in Apache ActiveMQ that remained undetected for 13 years. The vulnerability affects the OpenWire transport protocol used by ActiveMQ message brokers, allowing unauthenticated attackers to execute arbitrary code on vulnerable systems.
Apache originally disclosed the vulnerability in October 2023, revealing that the flaw had existed since ActiveMQ version 5.15.0 was released in 2013. The vulnerability stems from improper deserialization of untrusted data in the OpenWire protocol, which processes serialized Java objects without adequate validation. When a malicious actor sends specially crafted serialized objects to an exposed ActiveMQ broker, the system deserializes the payload and executes embedded code with the privileges of the ActiveMQ process.
Security researchers initially discovered the vulnerability during routine code audits of the ActiveMQ codebase. The flaw affects the broker's ability to handle incoming connections on the default OpenWire port 61616, making it particularly dangerous for organizations that expose ActiveMQ brokers to untrusted networks. The Security Affairs analysis indicates that the vulnerability has a CVSS score of 9.8, reflecting its critical severity and ease of exploitation.
The addition to CISA's KEV catalog represents a significant escalation in the threat landscape surrounding this vulnerability. CISA only adds vulnerabilities to the KEV list when there's confirmed evidence of active exploitation in the wild, indicating that threat actors have moved beyond proof-of-concept attacks to operational campaigns targeting vulnerable ActiveMQ deployments. The agency's decision comes after multiple security vendors reported detecting exploitation attempts across various industry sectors.
Widespread Impact Across Enterprise Message Broker Deployments
The vulnerability affects all Apache ActiveMQ versions from 5.15.0 through 5.18.2, encompassing nearly a decade of releases used extensively in enterprise environments. Organizations running ActiveMQ as part of their messaging infrastructure face immediate risk, particularly those with brokers accessible from external networks or untrusted internal segments. The flaw impacts both standalone ActiveMQ installations and embedded deployments within larger application frameworks.
Enterprise environments are especially vulnerable because ActiveMQ serves as a critical component in many service-oriented architectures, enterprise service buses, and microservices deployments. Financial services, healthcare organizations, government agencies, and large corporations commonly deploy ActiveMQ to handle message queuing between distributed applications. The vulnerability's 13-year presence means that legacy systems and long-running production environments are particularly at risk, as many organizations may be running older versions that haven't received recent security updates.
Federal agencies face additional pressure due to CISA's binding operational directive requiring remediation by May 8, 2026. The three-week deadline reflects the critical nature of the vulnerability and the confirmed active exploitation. Private sector organizations, while not bound by the federal deadline, face similar risks and should prioritize patching based on their exposure profile. Organizations with internet-facing ActiveMQ brokers or those processing untrusted message content face the highest risk of exploitation.
Immediate Patching and Mitigation Steps for ActiveMQ Deployments
Organizations must immediately upgrade to patched ActiveMQ versions: 5.15.16, 5.16.7, 5.17.6, or 5.18.3. The Apache Software Foundation released these patches in October 2023, addressing the deserialization vulnerability by implementing proper input validation and restricting the types of objects that can be deserialized through the OpenWire protocol. System administrators should download the latest version from the official Apache ActiveMQ website and follow the standard upgrade procedures for their deployment architecture.
For organizations unable to immediately patch, several temporary mitigations can reduce exposure risk. Network-level controls should restrict access to ActiveMQ broker ports (typically 61616 for OpenWire) to only trusted sources. Implementing firewall rules or network segmentation can prevent external attackers from reaching vulnerable brokers. Additionally, organizations should disable the OpenWire transport if alternative protocols like STOMP or MQTT can meet their messaging requirements. The Cyber Security News report emphasizes that network isolation provides only temporary protection and cannot substitute for proper patching.
Security teams should immediately audit their ActiveMQ deployments to identify vulnerable instances and assess exposure levels. This includes reviewing network configurations, access controls, and monitoring logs for suspicious connection attempts or unusual message patterns. Organizations should also implement enhanced monitoring for ActiveMQ brokers, watching for unexpected process execution, network connections, or file system modifications that could indicate successful exploitation. Given the active exploitation confirmed by CISA, security teams should treat this vulnerability as an active incident requiring immediate response and remediation.
