An attacker is breaking into Linux systems via a widely abused 2-year-old vulnerability in Apache ActiveMQ, installing malware and then patching the flaw.
August 19, 2025 By Jai Vijayan
An attacker is exploiting a nearly 2-year-old vulnerability in Apache ActiveMQ to compromise Linux servers and install malicious software on them. The attacker then discreetly fixes the same security flaw they used for initial access.
The tactic is both an attempt to mask how they are breaking into the systems in the first place and also to prevent other threat actors from using the same flaw to get in.
Targeting Linux Servers via CVE-2023-46604
Red Canary uncovered the campaign while monitoring cloud-based Linux environments and observed intruders running discovery commands, or reconnaissance activities, on dozens of Linux servers. The servers were all vulnerable to CVE-2023-46604, a maximum-severity remote code execution bug in Apache ActiveMQ message broker that the Apache Software Foundation disclosed in October 2023.
