Awareness Lessons
3 days ago
13-Year-Old Apache ActiveMQ Vulnerability Exploited via Default Credentials
A critical remote code execution vulnerability in Apache ActiveMQ Classic went undetected for 13 years before being actively exploited in the wild. The flaw affects the Jolokia API and while it requires authentication, many organizations left default credentials in place, making exploitation trivial for attackers. This incident demonstrates how legacy vulnerabilities combined with poor credential management can create devastating attack vectors. CISA's addition to the Known Exploited Vulnerabilities catalog underscores the urgency of addressing both the technical flaw and underlying security hygiene issues.
Tactical Insight
Immediate actions
- Update Apache ActiveMQ Classic to the latest patched version immediately
- Change all default credentials on ActiveMQ instances to strong, unique passwords
- Scan for and inventory all ActiveMQ deployments across the organization
Long-term improvements
- Implement automated vulnerability scanning that includes legacy software components
- Establish mandatory default credential replacement procedures for all new deployments
- Create network segmentation to isolate message broker services from public internet access
Detection measures
- Monitor authentication attempts and API calls to Jolokia endpoints
- Set up alerts for unusual process execution or network connections from ActiveMQ servers