Open Nav
Sign Up

Alert: Apache ActiveMQ Flaw Exploited in Godzilla Web Shell Attacks (CVE-2023-46604)

Bar Refael

January 23, 2024

Vulnerability Summary:

  • Affected Software: Apache ActiveMQ
  • Vulnerability ID: CVE-2023-46604 (CVSS Score: 10.0)
  • Type of Vulnerability: Remote Code Execution (RCE)
  • Current Threat: Active exploitation by multiple adversaries

Details of the Threat:

Cybersecurity researchers have detected a significant surge in cybercriminal activities exploiting a critical vulnerability in Apache ActiveMQ. The flaw, identified as CVE-2023-46604, is being used to deploy the Godzilla web shell on compromised hosts. This severe RCE vulnerability, disclosed in late October 2023, has been a vector for various malicious activities, including ransomware, rootkits, cryptocurrency mining, and DDoS botnet deployment.

Characteristics of the Godzilla Web Shell:

  • Concealment: The web shells are hidden within an unknown binary format, making them hard to detect by conventional security and signature-based scanners.
  • Execution Mechanism: Despite the unusual file format, ActiveMQ’s JSP engine still compiles and executes the web shell.
  • Capabilities: The Godzilla web shell is a sophisticated backdoor, capable of parsing inbound HTTP POST requests, executing content, and sending responses via HTTP. It enables threat actors to perform a wide range of actions, such as executing shell commands, viewing network information, and managing files on the compromised host.

Attack Methodology:

  • The web shell code is planted within the “admin” folder of ActiveMQ’s installation directory.
  • It’s converted into Java code for execution by the Jetty Servlet Engine.
  • Attackers can connect to the compromised system using the Godzilla management user interface, gaining full control over the host.

Urgent Recommendations for Clients:

  • Update Immediately: Users of Apache ActiveMQ should update to the latest version without delay to prevent exploitation.
  • Enhanced Monitoring: Vigilantly monitor network traffic and system logs for any signs of compromise or unusual activity.
  • Security Review: Conduct a thorough security review of systems using Apache ActiveMQ, especially focusing on the admin folder and any unusual binary files.
  • Incident Response Plan: Ensure that your incident response plan is up-to-date and ready to be executed in the event of a breach.

Closing Note:

Given the severity and sophistication of this threat, it’s crucial for organizations using Apache ActiveMQ to take immediate and effective action to secure their systems. [Your Company’s Name] is dedicated to assisting our clients in responding to these cybersecurity challenges and ensuring the protection of their digital infrastructure

Stay safe and informed,

OP Innovate.

Resources highlights

CVE-2026-21509: Actively Exploited Microsoft Office Security Bypass

CVE-2026-21509 is a zero-day security feature bypass vulnerability in Microsoft Office that has been confirmed as actively exploited in the wild. The flaw allows adversaries…

Read more >

cve-2026-21509

Guidance to Address Ongoing Exploitation of Fortinet SSO Vulnerability (CVE-2026-24858)

CVE-2026-24858 is a critical authentication bypass in FortiCloud Single Sign-On (SSO) that can allow an attacker with a FortiCloud account and a registered device to…

Read more >

cve-2026-24858

CVE-2024-37079: VMware vCenter Server DCERPC Heap Overflow (RCE)

CVE-2024-37079 is a critical remote code execution (RCE) vulnerability in VMware vCenter Server caused by a heap overflow in the DCERPC protocol implementation. On January…

Read more >

cve-2024-37079

CVE-2026-24061: GNU Inetutils telnetd Remote Authentication Bypass

CVE-2026-24061 is a pre-authentication remote authentication bypass in GNU Inetutils telnetd. The flaw carries a Critical CVSS:3.1 severity score of 9.8 and allows an attacker…

Read more >

CVE-2026-24061

CVE-2026-0227: PAN-OS GlobalProtect Denial-of-Service Vulnerability

CVE-2026-0227 is a high-severity denial-of-service vulnerability affecting Palo Alto Networks PAN-OS and Prisma Access deployments where GlobalProtect Gateway or Portal is enabled. The flaw allows…

Read more >

cve-2026-0227

CVE-2026-20805: Windows Desktop Window Manager (DWM) Zero-Day

CVE-2026-20805 is a Windows Desktop Window Manager (DWM) information disclosure vulnerability that has been exploited in the wild as a zero-day.While the CVSS v3.1 base…

Read more >

cve-2026-20805
Under Cyber Attack?

Fill out the form and we will contact you immediately.