Open Nav
Sign Up

Alert: Apache ActiveMQ Flaw Exploited in Godzilla Web Shell Attacks (CVE-2023-46604)

Bar Refael

January 23, 2024

Vulnerability Summary:

  • Affected Software: Apache ActiveMQ
  • Vulnerability ID: CVE-2023-46604 (CVSS Score: 10.0)
  • Type of Vulnerability: Remote Code Execution (RCE)
  • Current Threat: Active exploitation by multiple adversaries

Details of the Threat:

Cybersecurity researchers have detected a significant surge in cybercriminal activities exploiting a critical vulnerability in Apache ActiveMQ. The flaw, identified as CVE-2023-46604, is being used to deploy the Godzilla web shell on compromised hosts. This severe RCE vulnerability, disclosed in late October 2023, has been a vector for various malicious activities, including ransomware, rootkits, cryptocurrency mining, and DDoS botnet deployment.

Characteristics of the Godzilla Web Shell:

  • Concealment: The web shells are hidden within an unknown binary format, making them hard to detect by conventional security and signature-based scanners.
  • Execution Mechanism: Despite the unusual file format, ActiveMQ’s JSP engine still compiles and executes the web shell.
  • Capabilities: The Godzilla web shell is a sophisticated backdoor, capable of parsing inbound HTTP POST requests, executing content, and sending responses via HTTP. It enables threat actors to perform a wide range of actions, such as executing shell commands, viewing network information, and managing files on the compromised host.

Attack Methodology:

  • The web shell code is planted within the “admin” folder of ActiveMQ’s installation directory.
  • It’s converted into Java code for execution by the Jetty Servlet Engine.
  • Attackers can connect to the compromised system using the Godzilla management user interface, gaining full control over the host.

Urgent Recommendations for Clients:

  • Update Immediately: Users of Apache ActiveMQ should update to the latest version without delay to prevent exploitation.
  • Enhanced Monitoring: Vigilantly monitor network traffic and system logs for any signs of compromise or unusual activity.
  • Security Review: Conduct a thorough security review of systems using Apache ActiveMQ, especially focusing on the admin folder and any unusual binary files.
  • Incident Response Plan: Ensure that your incident response plan is up-to-date and ready to be executed in the event of a breach.

Closing Note:

Given the severity and sophistication of this threat, it’s crucial for organizations using Apache ActiveMQ to take immediate and effective action to secure their systems. [Your Company’s Name] is dedicated to assisting our clients in responding to these cybersecurity challenges and ensuring the protection of their digital infrastructure

Stay safe and informed,

OP Innovate.

Resources highlights

Google Chrome Zero-Day Under Exploitation (CVE-2026-2441)

CVE-2026-2441 is a high-severity use-after-free vulnerability in Google Chrome that is actively exploited in the wild. This marks the first Chrome zero-day patched in 2026.…

Read more >

CVE-2026-2441

Actively Exploited BeyondTrust RCE (CVE-2026-1731)

CVE-2026-1731 is a critical remote code execution (RCE) vulnerability affecting BeyondTrust Remote Support and Privileged Remote Access solutions. The flaw is actively exploited in the…

Read more >

CVE-2026-1731

WPvivid Backup & Migration Critical RCE (CVE-2026-1357)

A critical vulnerability tracked as CVE-2026-1357 (CVSS 9.8) affects the WPvivid Backup & Migration WordPress plugin and can allow unauthenticated arbitrary file upload leading to…

Read more >

CVE-2026-1357

Malicious “AI Assistant” Chrome Extensions Stealing Credentials and Email Data

A malicious browser extension campaign dubbed AiFrame has been identified distributing fake AI assistant tools through the Chrome Web Store. At least 30 malicious extensions,…

Read more >

chrome extensions

CVE-2026-21509: Actively Exploited Microsoft Office Security Bypass

CVE-2026-21509 is a zero-day security feature bypass vulnerability in Microsoft Office that has been confirmed as actively exploited in the wild. The flaw allows adversaries…

Read more >

cve-2026-21509

Guidance to Address Ongoing Exploitation of Fortinet SSO Vulnerability (CVE-2026-24858)

CVE-2026-24858 is a critical authentication bypass in FortiCloud Single Sign-On (SSO) that can allow an attacker with a FortiCloud account and a registered device to…

Read more >

cve-2026-24858
Under Cyber Attack?

Fill out the form and we will contact you immediately.