A critical remote code execution vulnerability (CVE-2023-46604, CVSS 10.0) in Apache ActiveMQ's Java OpenWire protocol marshaller allows attackers to execute arbitrary shell commands by manipulating serialized class types. The vulnerability affects Apache ActiveMQ versions before 5.15.16, 5.16.0 through 5.16.6, 5.17.0 through 5.17.5, and 5.18.0 through 5.18.2. The fix requires upgrading to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, as detailed in the [activemq.apache.org](https://activemq.apache.org/news/cve-2023-46604) advisory.
Key Takeaways An audio version of this report can be found on Spotify, Apple, YouTube, Audible, & Amazon. This intrusion began in mid-February 2024 after a threat actor exploited a vulnerability (CVE-2023-46604) on an exposed Apache ActiveMQ server. The threat actor was able to perform remote code execution (RCE) by using a Java Spring class and a custom Java Spring […] The post Apache ActiveMQ Exploit Leads to LockBit Ransomware appeared first on The DFIR Report .