轉發 國家資安資訊分享與分析中心 NISAC-200-202510-00000201

[內容說明]
研究人員發現Apache ActiveMQ NMS AMQP用戶端存在反序列化不受信任資料(Deserialization of Untrusted Data)漏洞(CVE-2025-54539)。未經身分鑑別之遠端攻擊者可在受影響用戶端與不受信任之AMQP伺服器建立連線時，回傳特製序列化資料即可於用戶端執行任意程式碼，請儘速確認並進行修補。

[影響平台]
Apache ActiveMQ NMS AMQP 2.3.0(含)以前版本

[建議措施]
請更新Apache ActiveMQ NMS AMQP至2.4.0(含)以後版本

[參考資料]
1. https://nvd.nist.gov/vuln/detail/CVE-2025-54539
2. https://lists.apache.org/thread/9k684j07ljrshy3hxwhj5m0xjmkz1g2n

Forwarded from the National Information Security Information Sharing and Analysis Center (NISAC-200-202510-00000201)

[Description]
Researchers have discovered a Deserialization of Untrusted Data vulnerability (CVE-2025-54539) in the Apache ActiveMQ NMS AMQP client. An unauthenticated remote attacker could establish a connection between an affected client and an untrusted AMQP server and send specially crafted serialized data back, potentially allowing arbitrary code execution on the client. Please verify and patch as soon as possible.

[Affected Platforms]
Apache ActiveMQ NMS AMQP 2.3.0 and earlier

[Recommended Action]
Please update Apache ActiveMQ NMS AMQP to 2.4.0 and later.

[References]
1. https://nvd.nist.gov/vuln/detail/CVE-2025-54539
2. https://lists.apache.org/thread/9k684j07ljrshy3hxwhj5m0xjmkz1g2n