Threat Advisory

Critical Apache RocketMQ bug exploited in attacks

Threat: Vulnerability/Malware


The Apache RocketMQ CVE-2023-33246 is a critical vulnerability that allows remote and unauthenticated attackers to exploit it for command injection. This flaw has been actively exploited since June 2023, a custom remoting protocol targeting the default RocketMQ broker ports, which are 10909 and 10911. Notably, this protocol is not readily detectable by Shodan or Censys, making it challenging to gauge the extent of affected systems.

RocketMQ broker interfaces were not intended to be exposed to the internet and are inherently insecure, providing various administrative functions, including updating broker configurations and downloading them without authentication. When an attacker updates the configuration with a malicious "rocketmqHome" variable, the payload isn't executed immediately but is written into the configuration file. After a brief delay, a process parses the configuration, leading to the execution of a shell command containing the malicious variable, allowing for attacker code execution. Importantly, unless overwritten, the attacker payload persists indefinitely in the configuration.

Some attackers, as seen in public exploits like XDB-b486dcf3f31d, seem to lack an understanding of the underlying protocol used to deliver the payload into the configuration file, making it apparent that anyone can download and scrutinize the configuration file for indicators of compromise. To aid in identifying exploited RocketMQ systems, a tool has been developed using the go-exploit framework. This tool downloads RocketMQ broker configuration files and extracts the vulnerable "rocketmqHome" variable. It is available on GitHub for use in hunting for exploited RocketMQ systems.

This vulnerability appears to be linked to just one botnet. However, it is evident that there are multiple active threat actors involved, potentially affecting numerous victims. In light of this, it is strongly advisable to take proactive measures, including removing your RocketMQ instance from the internet and thoroughly scrutinizing the broker configuration for any indications of exploitation.



We strongly recommend you upgrade you upgrade to version 5.1.1 above for using RocketMQ 5.x or 4.9.6 above for using RocketMQ 4.x .


Threat Profile:



The following reports contain further technical details: