What is Apache RocketMQ?
Apache RocketMQ is a distributed message queue and streaming data platform originally developed by Alibaba and donated to the Apache Software Foundation. It is widely used in large-scale Java and cloud-native applications across Asia and globally for asynchronous messaging, event streaming, and decoupling of microservices. RocketMQ components — NameServer (service discovery), Broker (message storage and routing), and Controller — expose management APIs on the network for configuration and administration. When these management interfaces are internet-accessible without authentication controls, they represent a critical attack surface.
Overview
CVE-2023-33246 is a critical unauthenticated remote code execution vulnerability in Apache RocketMQ affecting versions 5.1.0 and below and 4.x before 4.9.6. Multiple RocketMQ components (NameServer, Broker, Controller) expose management APIs without sufficient authentication, allowing an unauthenticated attacker to either invoke the updateConfig function to write attacker-controlled configuration (enabling arbitrary command execution) or forge RocketMQ protocol messages to achieve the same effect. Apache patched it in versions 5.1.1 and 4.9.6. Following public PoC publication in June 2023, mass exploitation by cryptominers and threat actors began rapidly. CISA added it to KEV in September 2023.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Apache RocketMQ 5.x | 5.1.0 and earlier | 5.1.1 |
| Apache RocketMQ 4.x | 4.9.5 and earlier | 4.9.6 |
Technical Details
CWE-94 (Improper Control of Generation of Code). Apache RocketMQ's management plane exposes an updateConfig API endpoint on the NameServer and Broker components. This function is intended for administrative use but lacks proper authentication — any network-reachable client can invoke it. The updateConfig function allows overwriting configuration file entries for the RocketMQ broker, including configuration keys that control command execution at broker startup or operation.
An attacker exploiting CVE-2023-33246 can:
- Invoke
updateConfigto set a malicious configuration value (e.g.,rocketmqHomeor filter server configuration) that causes the broker to execute an OS command upon next operation. - Alternatively, forge RocketMQ wire protocol messages to reach privileged broker operations without authentication.
The result is OS command execution under the user account running RocketMQ — which in many deployments runs as a service account with broad system access. Combined with the widespread deployment of RocketMQ in cloud-native environments, a compromised broker can pivot to cloud metadata services, container orchestration APIs, and adjacent services.
Discovery
The vulnerability was identified by security researchers analyzing the authentication handling in RocketMQ's management interfaces. The Apache RocketMQ project released patches (versions 5.1.1 and 4.9.6) before the CVE was formally published, but the publication and subsequent PoC release triggered active exploitation.
Exploitation Context
Following public PoC availability in early June 2023, threat actors rapidly weaponized CVE-2023-33246. Security researchers documented multiple exploitation campaigns:
- Cryptominers: The primary initial exploiters, using RCE to deploy XMRig or similar cryptocurrency mining malware on compromised RocketMQ servers. The DreamBus botnet was documented exploiting CVE-2023-33246.
- Ransomware precursors: Post-compromise reconnaissance tools were observed being deployed on compromised instances, suggesting use as an initial access vector for broader network intrusion.
The CISA KEV addition in September 2023 — three months after the CVE — reflects sustained exploitation of unpatched internet-exposed RocketMQ deployments. The vulnerability particularly affects RocketMQ deployments that were configured with management ports open to the internet without firewall restrictions.
Remediation
- Upgrade Apache RocketMQ to version 5.1.1 (for 5.x) or 4.9.6 (for 4.x) immediately.
- Restrict RocketMQ's NameServer and Broker ports (default: 9876 for NameServer, 10909/10911 for Broker) to trusted internal networks only — these should never be internet-accessible.
- Use RocketMQ's ACL (Access Control List) functionality to require authentication for all management operations.
- Audit RocketMQ configuration files for unauthorized modifications — check
broker.confandnamesrv.conffor unexpected entries that could indicate exploitation. - Review broker logs for unexpected
updateConfigcalls or connections from external IP addresses. - Inspect the RocketMQ host for unauthorized processes (cryptominers, backdoors) and check for new cron jobs or scheduled tasks.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-33246 |
| Vendor / Product | Apache — RocketMQ |
| NVD Published | 2023-05-24 |
| NVD Last Modified | 2025-10-23 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-94 find similar ↗ |
| CISA KEV Added | 2023-09-06 |
| CISA KEV Deadline | 2023-09-27 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-05-17 | Apache RocketMQ releases versions 5.1.1 and 4.9.6 patching CVE-2023-33246 |
| 2023-05-24 | CVE-2023-33246 published — unauthenticated RCE via exposed NameServer/Broker management functions |
| 2023-06-01 | Public PoC exploit code published; mass scanning begins against internet-exposed RocketMQ instances |
| 2023-09-06 | CISA adds to Known Exploited Vulnerabilities catalog — active exploitation by multiple threat actors confirmed |
| 2023-09-27 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Apache RocketMQ Security Advisory — CVE-2023-33246 | Vendor Advisory |
| NVD — CVE-2023-33246 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |