CVE-2025-54539
📋 TL;DR
A deserialization vulnerability in Apache ActiveMQ NMS AMQP Client allows malicious AMQP servers to execute arbitrary code on client systems when connecting to untrusted servers. This affects all versions up to 2.3.0, and the allow/deny list protection introduced in 2.1.0 can be bypassed. Any application using the vulnerable client library to connect to external AMQP servers is at risk.
💻 Affected Systems
- Apache ActiveMQ NMS AMQP Client
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of client system with remote code execution, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Attackers hosting malicious AMQP servers could compromise clients connecting to them, particularly in supply chain attacks or when clients connect to untrusted external services.
If Mitigated
If connecting only to trusted internal AMQP servers, risk is significantly reduced but not eliminated if internal servers are compromised.
🎯 Exploit Status
Exploitation requires client to connect to malicious server. No public exploit code identified in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.0
Vendor Advisory: https://lists.apache.org/thread/9k684j07ljrshy3hxwhj5m0xjmkz1g2n
Restart Required: Yes
Instructions:
1. Upgrade to Apache ActiveMQ NMS AMQP Client version 2.4.0 or later. 2. Update all applications using the library. 3. Restart affected services. 4. Consider migrating away from .NET binary serialization long-term.
🔧 Temporary Workarounds
Restrict AMQP Server Connections
allConfigure applications to connect only to trusted, internal AMQP servers. Implement network segmentation to prevent connections to untrusted external servers.
Implement Application Allowlisting
allUse allow/deny lists for deserialization types (available in 2.1.0+ but bypassable). Configure to allow only necessary types.
🧯 If You Can't Patch
- Isolate vulnerable systems and restrict network access to trusted AMQP servers only
- Monitor for suspicious outbound connections to unknown AMQP servers and implement strict egress filtering
🔍 How to Verify
Check if Vulnerable:
Check application dependencies for Apache.NMS.ActiveMQ version <= 2.3.0. Review code for AMQP client usage.Check Version:
Check package manager (NuGet) or assembly version: System.Reflection.Assembly.LoadFile("Apache.NMS.ActiveMQ.dll").GetName().VersionVerify Fix Applied:
Verify installed version is 2.4.0 or later. Test that applications can still connect to required AMQP servers.📡 Detection & Monitoring
Log Indicators:
- Unexpected deserialization errors
- Connections to unknown AMQP endpoints
- Unusual process execution following AMQP connections
Network Indicators:
- Outbound connections to non-standard AMQP ports (5671, 5672)
- Suspicious AMQP traffic patterns
SIEM Query:
source="application_logs" AND ("deserialization" OR "AMQP") AND (error OR exception)