Open Nav
Sign Up

Alert: Apache ActiveMQ Flaw Exploited in Godzilla Web Shell Attacks (CVE-2023-46604)

Bar Refael

January 23, 2024

Vulnerability Summary:

  • Affected Software: Apache ActiveMQ
  • Vulnerability ID: CVE-2023-46604 (CVSS Score: 10.0)
  • Type of Vulnerability: Remote Code Execution (RCE)
  • Current Threat: Active exploitation by multiple adversaries

Details of the Threat:

Cybersecurity researchers have detected a significant surge in cybercriminal activities exploiting a critical vulnerability in Apache ActiveMQ. The flaw, identified as CVE-2023-46604, is being used to deploy the Godzilla web shell on compromised hosts. This severe RCE vulnerability, disclosed in late October 2023, has been a vector for various malicious activities, including ransomware, rootkits, cryptocurrency mining, and DDoS botnet deployment.

Characteristics of the Godzilla Web Shell:

  • Concealment: The web shells are hidden within an unknown binary format, making them hard to detect by conventional security and signature-based scanners.
  • Execution Mechanism: Despite the unusual file format, ActiveMQ’s JSP engine still compiles and executes the web shell.
  • Capabilities: The Godzilla web shell is a sophisticated backdoor, capable of parsing inbound HTTP POST requests, executing content, and sending responses via HTTP. It enables threat actors to perform a wide range of actions, such as executing shell commands, viewing network information, and managing files on the compromised host.

Attack Methodology:

  • The web shell code is planted within the “admin” folder of ActiveMQ’s installation directory.
  • It’s converted into Java code for execution by the Jetty Servlet Engine.
  • Attackers can connect to the compromised system using the Godzilla management user interface, gaining full control over the host.

Urgent Recommendations for Clients:

  • Update Immediately: Users of Apache ActiveMQ should update to the latest version without delay to prevent exploitation.
  • Enhanced Monitoring: Vigilantly monitor network traffic and system logs for any signs of compromise or unusual activity.
  • Security Review: Conduct a thorough security review of systems using Apache ActiveMQ, especially focusing on the admin folder and any unusual binary files.
  • Incident Response Plan: Ensure that your incident response plan is up-to-date and ready to be executed in the event of a breach.

Closing Note:

Given the severity and sophistication of this threat, it’s crucial for organizations using Apache ActiveMQ to take immediate and effective action to secure their systems. [Your Company’s Name] is dedicated to assisting our clients in responding to these cybersecurity challenges and ensuring the protection of their digital infrastructure

Stay safe and informed,

OP Innovate.

Resources highlights

AsyncAPI npm Supply-Chain Attack Delivers Cross-Platform Miasma RAT

A software supply-chain attack compromised four packages in the official AsyncAPI npm namespace, resulting in five malicious package versions being distributed through the project’s legitimate…

Read more >

AsyncAPI supply chain attack

Zoom Windows Vulnerability Enables Account Takeover (CVE-2026-53412)

Zoom has released security updates for a critical vulnerability affecting Zoom Workplace and Zoom Workplace VDI clients for Windows. Tracked as CVE-2026-53412, the vulnerability could…

Read more >

cve-2026-53412

Actively Exploited SonicWall SMA1000 Vulnerabilities (CVE-2026-15409 and CVE-2026-15410)

SonicWall has released emergency hotfixes for two vulnerabilities affecting SMA1000 Series secure access appliances. Both vulnerabilities have been exploited in active attacks, and one carries…

Read more >

sonicwall_cve-2026-15409_cve-2026-15410_op

Critical Gitea Docker Authentication Bypass Under Active Probing: CVE-2026-20896

A critical authentication bypass vulnerability, tracked as CVE-2026-20896, has been disclosed in the official Gitea Docker image. Gitea is a self-hosted software development platform used…

Read more >

gitea_docker_cve-2026-20896

Adobe Patches Multiple Critical ColdFusion and Campaign Classic Vulnerabilities: CVE-2026-48282 Exploitation Observed

Adobe has released security updates for multiple critical vulnerabilities affecting Adobe ColdFusion and Adobe Campaign Classic, including several flaws rated CVSS 10.0.CVE-2026-48282, a critical ColdFusion…

Read more >

adobe_coldfusion_campaign classic_cve-2026-48282

CVE-2026-46817: Critical Oracle E-Business Suite Vulnerability

A critical vulnerability in Oracle E-Business Suite is now being actively exploited in the wild. Tracked as CVE-2026-46817, the flaw affects the File Transmission component…

Read more >

cve-2026-46817-oracle-e-business
Under Cyber Attack?

Fill out the form and we will contact you immediately.