Back

Remote Code Execution Vulnerabilities in Apache ActiveMQ and OFBiz Detected

Severity: High (Score: 63.1)

Sources: activemq.apache.org, Snort

Published: 2026-06-02 · Updated: 2026-06-02

Keywords: rule, server-webapp, docs, snort, detected, traffic, exploiting

Summary

On June 1 and 2, 2026, Snort published alerts for remote code execution attempts targeting Apache ActiveMQ and Apache OFBiz. The ActiveMQ vulnerability involves insecure deserialization, allowing attackers to execute arbitrary commands via malicious Java classes. The OFBiz vulnerability exploits an unauthenticated URI, leading to potential remote code execution. Both vulnerabilities are categorized as high severity, with no known false positives reported. The attacks are aimed at web-based applications hosted on servers, highlighting the ongoing threat to public-facing applications. Security professionals are advised to monitor for these specific attack vectors and implement necessary defenses. Current status indicates active exploitation attempts in the wild. Key Points: • Snort detected remote code execution attempts against Apache ActiveMQ and OFBiz. • ActiveMQ vulnerability involves insecure deserialization, while OFBiz exploits an unauthenticated URI. • Both vulnerabilities are classified as high severity with no known false positives.

Detailed Analysis

**Impact** Organizations running Apache ActiveMQ and Apache OFBiz with vulnerable versions are at risk of remote code execution attacks. These vulnerabilities affect internet-facing servers across multiple sectors relying on these web applications, potentially leading to unauthorized system control and data compromise. No specific geographic or sectoral data is provided. The business impact includes operational disruption, data loss, and potential lateral movement within affected networks. **Technical Details** The Apache ActiveMQ vulnerability involves insecure deserialization of malicious Java classes via ExceptionResponse OpenWire commands, enabling remote code execution. The Apache OFBiz vulnerability exploits unauthenticated access to the `/webtools/control/forgotPassword` URI, causing controller and view map fragmentation to execute code remotely. Both vulnerabilities are categorized as high to critical severity with no known false positives. These attacks align with the MITRE ATT&CK technique T1190 (Exploit Public-Facing Application) targeting initial access. No CVE identifiers or specific malware/tools are mentioned. No IOCs are provided. **Recommended Response** Apply the latest security patches for Apache ActiveMQ and Apache OFBiz immediately to remediate insecure deserialization and authentication bypass vulnerabilities. Deploy Snort detection rules 1:66532 and 1:64685 to monitor and alert on exploitation attempts. Harden web application configurations to restrict unauthenticated access paths and validate serialized data inputs. Continuously monitor network traffic for anomalous ExceptionResponse OpenWire commands and unauthorized access to `/webtools/control/forgotPassword` endpoints.

Source articles (3)

  • Rule Docs 1:64685 — Snort · 2026-06-01
    SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers. SERVER-WEBAPP Apache OFBiz remote code execution attempt This rule detects an attempted rem…
  • Rule Docs 1:66532 — Snort · 2026-06-02
    SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers. SERVER-WEBAPP Apache ActiveMQ ExceptionResponse remote code execution attempt This rule loo…
  • CVE 2023 46604 — activemq.apache.org · 2026-06-02

Timeline

  • 2026-06-01 — Remote code execution attempt on Apache OFBiz detected: Snort identified exploitation attempts targeting Apache OFBiz via the `/webtools/control/forgotPassword` URI.
  • 2026-06-02 — Remote code execution attempt on Apache ActiveMQ detected: Snort reported exploitation attempts of an insecure deserialization vulnerability in Apache ActiveMQ.

Related entities

  • Remote Code Execution (Attack Type)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-502 - Deserialization Of Untrusted Data (Cwe)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • Apache ActiveMQ (Platform)
  • Apache OFBiz (Platform)
  • Insecure Deserialization (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed