The use of hardcoded default credentials in OpenMQ’s imqbrokerd service allows unauthenticated remote attackers to gain full administrative control over the messaging broker.

The product ships with a default administrative account (admin/admin) and does not require a mandatory password change. A remote unauthenticated attacker can use these credentials to access the TCP-based management service and control all administrative features.

The CVSS score of 9.8 reflects the extreme risk of using default credentials in a management interface. An attacker can intercept, modify, or delete messages within the broker, leading to massive data breaches and disruption of critical business logic that relies on the messaging middleware.

Immediate Action: Change the default 'admin' password immediately and disable any unnecessary management ports facing the public internet.

Proactive Monitoring: Audit all management logs for logins using the 'admin' account and monitor for unauthorized configuration changes in the broker.

Compensating Controls: Implement network-level access control lists (ACLs) or a VPN to restrict access to the imqbrokerd service to authorized IP addresses only.

Public Exploit Available: No

Hardcoded or default credentials are a primary target for attackers. We strongly recommend an immediate password audit and the implementation of network isolation for all OpenMQ management services to mitigate this critical risk.