A critical vulnerability has been discovered in the Apache ActiveMQ NMS AMQP client, which could allow a remote, unauthenticated attacker to execute arbitrary code on systems running the client. This flaw, rated 9.8 (Critical), stems from the insecure deserialization of untrusted data sent from a malicious server and poses a significant risk to data confidentiality, integrity, and system availability. Immediate patching is required to mitigate the risk of a full system compromise.

The vulnerability is a Deserialization of Untrusted Data flaw within the Apache ActiveMQ NMS AMQP client library. When the client connects to an AMQP server (broker), it can receive and process serialized objects. An unauthenticated attacker controlling a malicious or compromised AMQP server can send a specially crafted object to the client. The client's code will then deserialize this object without proper validation, leading to the execution of arbitrary code with the permissions of the user running the client application.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the system running the vulnerable client. An attacker could achieve remote code execution (RCE), allowing them to install malware, exfiltrate sensitive data, disrupt critical business operations, or use the compromised system as a pivot point to move laterally within the corporate network. The potential consequences include major data breaches, significant financial loss, reputational damage, and operational downtime.

Immediate Action: Immediately update all instances of the Apache ActiveMQ NMS AMQP client to a version later than 2.3.0, as recommended by the vendor. After patching, it is crucial to monitor for any signs of exploitation attempts by reviewing application and system access logs for anomalous activity.

Proactive Monitoring:

• Monitor network traffic for unusual outbound connections from systems running the AMQP client.
• Review system logs for unexpected process creation, command execution, or file modifications on affected hosts.
• Implement enhanced logging on AMQP clients to capture message details and look for deserialization errors or warnings that could indicate an attack attempt.

Compensating Controls:

• If immediate patching is not feasible, restrict the client's network access to only connect to explicitly trusted and properly secured AMQP brokers.
• Implement network segmentation to isolate systems running the vulnerable client from critical network segments.
• Utilize an Intrusion Prevention System (IPS) with signatures capable of detecting and blocking known deserialization attack payloads.

Public Exploit Available: False (as of Oct 16, 2025)

All organizations using the affected versions of the Apache ActiveMQ NMS AMQP client must prioritize applying the security update immediately. Given the critical CVSS score of 9.8, the risk of remote code execution is severe. While this vulnerability is not yet on the CISA KEV list, its high severity makes it an attractive target for attackers, and immediate remediation is the most effective mitigation strategy to prevent a potential system compromise.