Security News > 2024 > January > Hackers target Apache RocketMQ servers vulnerable to RCE attacks

Security researchers are detecting hundreds of IP addresses on a daily basis that scan or attempt to exploit Apache RocketMQ services vulnerable to a remote command execution flaw identified as CVE-2023-33246 and CVE-2023-37582.
Apache released a fix that was incomplete for the NameServer component in RocketMQ and continued to affect versions 5.1 and older of the distributed messaging and streaming platform.
"The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1," reads a warning from Rongtong Jin, a member of the Apache RocketMQ Project Management Committee.
Hackers started targeting vulnerable Apache RocketMQ systems since at least August 2023, when a new version of the DreamBus botnet was observed leveraging an CVE-2023-33246 exploit to drop XMRig Monero miners on vulnerable servers.
Apache OFBiz RCE flaw exploited to find vulnerable Confluence servers.
Hackers are exploiting critical Apache Struts flaw using public PoC. Sophos backports RCE fix after attacks on unsupported firewalls.
News URL
Related news
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- Over 37,000 VMware ESXi servers vulnerable to ongoing attacks (source)
- PHP-CGI RCE Flaw Exploited in Attacks on Japan's Tech, Telecom, and E-Commerce Sectors (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors (source)
- TechRepublic EXCLUSIVE: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure” (source)
- Veeam RCE bug lets domain users hack backup servers, patch now (source)
- Hackers Repurpose RansomHub's EDRKillShifter in Medusa, BianLian, and Play Attacks (source)
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- North Korean hackers adopt ClickFix attacks to target crypto firms (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-07-12 | CVE-2023-37582 | Unspecified vulnerability in Apache Rocketmq The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. | 9.8 |
2023-05-24 | CVE-2023-33246 | Unspecified vulnerability in Apache Rocketmq For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function to execute commands as the system users that RocketMQ is running as. | 9.8 |