Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / Active exploitation of Apache RocketMQ security flaw

Target Industry

Indiscriminate, opportunistic targeting.


The Cybersecurity and Infrastructure Security Agency (CISA) added a critical–severity level vulnerability, tracked as CVE-2023-33246 (CVSSv3 score: 9.8), relating to the Apache RocketMQ messaging and streaming platform. Intelligence gathering indicates that there is a possibility that threat actors are actively exploiting this security flaw to install malware payloads on vulnerable systems.

A security researcher discovered that it is possible to exploit the vulnerability due to the fact that several Apache RocketMQ components, including the NameServer and Controller, are exposed to the internet. They were also able to determine that approximately 4,500 systems were exposed via TCP port 9876 which is used by the Apache RocketMQ Nameserver.


Successful exploitation of CVE-2023-33246 could allow a threat actor to use the update configuration function to execute commands as the system users that RocketMQ is running as. This could lead to threat actors gaining remote code execution (RCE) capabilities which would almost certainly result in the compromise and integrity of data.

Incident Detection

Apache has released security updates with regards to the product versions affected by the security flaw reported on. As such, previous versions are vulnerable to potential exploitation.

Affected Products

Apache RocketMQ versions 5.1.0 and prior.

Containment, Mitigations & Remediations

To mitigate against the threat posed by this vulnerability, it is strongly recommended that users apply the following updates as a matter of urgency:

  • Version 5.1.1 or above for using RocketMQ 5.x
  • Version 4.9.6 or above for using RocketMQ 4.x

If it is not possible to apply the updates mentioned above, CISA recommends that impacted products should be discontinued.

Indicators of Compromise

Associated Vulnerability Exploitation IP Addresses:

  • 103[.]85[.]25[.]121
  • 94[.]156[.]6[.]110
  • 45[.]15[.]158[.]124
  • 134[.]209[.]58[.]230

Associated Vulnerability Exploitation Domains:

  • acf-producao[.]s3[.]amazonaws[.]com
  • ashleyhub[.]s3[.]amazonaws[.]com
  • aaadutyv1[.]s3[.]amazonaws[.]com
  • brazilfoundation-assets[.]s3[.]amazonaws[.]com

Associated Vulnerability Exploitation File Hashes (SHA-256):

  • 1d489a41395be76a8101c2e1eba383253a291f4e84a9da389c6b58913786b8ac
  • d7843904e1c25055e14cae8b44b28f9dd4706c0ad8b03f55dfcded36ce8423a0
  • 4feb3dcfe57e3b112568ddd1897b68aeb134ef8addd27b660530442ea1e49cbb
  • f93e9bc9583058d82d2d3fe35117cbb9a553d54e7149846b2dc94446f0836201
  • 49062378ab3e4a0d78c6db662efb4dbc680808fb75834b4674809bc8903adaea

Threat Landscape

Apache RocketMQ occupies a significant proportion of the enterprise application integration market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Apache products have become a prime target for threat actors. Due to the fact that enterprise applications are integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.

Threat Group

CVE-2023-33246 has been exploited dating back to June by at least five separate threat actors. Of note, in June 2023, DreamBus botnet operators leveraged the security flaw to deploy a Monero cryptocurrency miner.

DreamBus is a modular malware strain primarily focused on Monero mining. Upon exploitation of CVE-2023-33246, the malware establishes a system service and cron job to maintain persistence within target systems.

Mitre Methodologies

Common Weakness Enumeration (CWE):

CWE-94 – Improper Control of Generation of Code (‘Code Injection’)

Further Information

CISA Advisory


An Intelligence Terminology Yardstick to showing the likelihood of events