A critical vulnerability in the Apache RocketMQ distributed messaging and streaming platform is being exploited by multiple threat actors. The vulnerability is tracked as CVE-2023-33246 and affects RocketMQ versions 5.1.0 and earlier. The command injection vulnerability can be exploited without authentication and has a CVSS v 3.1 severity score of 9.8. The vulnerability can be exploited by using the update configuration function to execute commands as the system users that RocketMQ is running.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added the vulnerability to its Known Exploited Vulnerability (KEV) Catalog and all Federal Civilian Executive Branch (FCEB) Agencies have been given until September 27, 2023, to patch the vulnerability on their systems or discontinue using the product.
The vulnerability has been exploited since at least June 2023 in a campaign that delivers DreamBus botnet malware. According to Juniper Threat Labs, the attacks target the default port used by RocketMQ (10911) and seven other ports. Infected devices are added to the botnet, and the malware is used to download additional malware payloads, including the open-source Monero mining cryptocurrency miner, XMRig. The malware is also capable of spreading laterally within networks using a variety of tools.
Security researcher Jacob Baines conducted a search to identify RocketMQ installations that were exposed to the internet and identified 4,500 systems. He identified several malicious payloads which suggests the vulnerability is now being exploited by multiple threat actors. Baines believes at least 5 different threat actors are now exploiting the vulnerability.
Prompt patching is therefore important to prevent exploitation. In addition to updating to a patched version, users should investigate whether the vulnerability has already been exploited.