Apache ActiveMQ affected by CVE-2025-54539

Apache ActiveMQ affected by CVE-2025-54539

No Comments

CVE-2025-54539 is a critical remote code execution (RCE) vulnerability in Apache ActiveMQ NMS AMQP Client, a .NET client library used to connect applications to AMQP message brokers like ActiveMQ. The flaw affects all versions up to and including 2.3.0 and is caused by insecure handling of untrusted serialized data during AMQP connections.

Technical Details

The vulnerability arises from deserialization of untrusted data (CWE-502) within the NMS AMQP client. When a connection is established to an untrusted or malicious AMQP server, the client may process attacker-controlled serialized payloads. This can lead to arbitrary code execution on the client system, granting an attacker control over the client environment.

Previous mitigations, such as the allow/deny deserialization list introduced in version 2.1.0, were found to be bypassable under specific conditions. The root cause is the continued reliance on .NET binary serialization, which is insecure when handling data from untrusted sources.

Impact

CVE-2025-54539 has a CVSS v3.1 base score of 9.8 (Critical), with vectors
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, meaning:

  • Network exploitable
  • Low attack complexity
  • No privileges required
  • No user interaction needed
  • Complete compromise of confidentiality, integrity, and availability.

This makes it trivially exploitable—if a client connects to a malicious AMQP broker, arbitrary code could execute remotely, facilitating data theft or lateral movement within connected systems.

Affected Versions

  • Apache ActiveMQ NMS AMQP Client: Versions ≤ 2.3.0

Fixed Version

  • Patched in version 2.4.0, which removes or secures the binary deserialization mechanism.

Mitigation Guidance

  1. Upgrade immediately to Apache ActiveMQ NMS AMQP Client 2.4.0 or later.
  2. Avoid connecting to untrusted AMQP servers or brokers.
  3. As part of long-term mitigation, migrate away from .NET binary serialization, aligning with Microsoft’s deprecation of this feature in .NET 9.
  4. Implement communication-layer trust boundaries using mutual TLS and broker whitelisting to reduce exposure to malicious endpoints.
Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.