Apache ActiveMQ Vulnerability Allows Remote Attackers to Execute Arbitrary Code

A critical security vulnerability (CVE-2025-29953) in Apache ActiveMQ’s NMS OpenWire Client has been disclosed, enabling remote attackers to execute arbitrary code on vulnerable systems.

The flaw, rooted in unsafe deserialization of untrusted data, affects versions prior to 2.1.1 and poses significant risks to organizations using the messaging broker for application communication.

Apache ActiveMQ Vulnerability

The vulnerability stems from the client’s handling of serialized data when connecting to untrusted servers.

Attackers can craft malicious payloads to exploit the OpenWire protocol, leading to deserialization of harmful data and subsequent arbitrary code execution on the client side.

This flaw, classified under CWE-502 (Deserialization of Untrusted Data), earned a critical CVSS score of 9.8 due to its low attack complexity and high impact on confidentiality, integrity, and availability, reads the advisory.

While Apache introduced an allow/denylist feature in version 2.1.0 to restrict deserialization, researchers found it could be bypassed, leaving systems unprotected.

The .NET team has also deprecated binary serialization (used by ActiveMQ’s NMS client) starting with .NET 9, urging developers to migrate away from this method.

Mitigations

Apache released version 2.1.1 to address the issue, and users are strongly advised to upgrade immediately. For those unable to patch promptly, temporary workarounds include:

• Restricting client connections to trusted servers.
• Implementing network-level security controls, such as firewalls and intrusion detection systems.

This vulnerability highlights the persistent risks of deserialization flaws in distributed systems.

Security experts emphasize the importance of rigorous input validation and adopting zero-trust principles for messaging infrastructure.

The incident also underscores the need to phase out deprecated serialization methods, as recommended by Microsoft’s .NET team.

The vulnerability was first reported to Apache in November 2023, with a coordinated public disclosure on April 30, 2025.

Organizations using ActiveMQ should prioritize patching and review logging for signs of exploitation, such as unexpected deserialization errors or connections from unverified sources.

As messaging systems remain a high-value target for attackers, proactive updates and adherence to secure coding practices are critical to mitigating emerging threats.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.