Critical RCE Flaw CVE-2025-54539 in Apache ActiveMQ NMS AMQP Client Allows Server-Side Code Execution

The Apache Software Foundation has issued a new security advisory addressing a critical vulnerability in Apache ActiveMQ’s NMS AMQP Client, which could allow remote code execution (RCE) on systems connecting to untrusted AMQP servers.

The flaw, tracked as CVE-2025-54539, affects all versions up to and including 2.3.0 of the Apache ActiveMQ NMS AMQP Client — a .NET component used to connect applications to ActiveMQ message brokers.

“A Deserialization of Untrusted Data vulnerability exists in the Apache ActiveMQ NMS AMQP Client,” the advisory warns.

According to the Apache advisory, the vulnerability impacts Apache ActiveMQ NMS AMQP Client through version 2.3.0 and is triggered when establishing connections to untrusted AMQP servers.

“Malicious servers could exploit unbounded deserialization logic present in the client to craft responses that may lead to arbitrary code execution on the client side,” Apache explained.

In other words, attackers could weaponize compromised or malicious AMQP endpoints to execute arbitrary code on client systems that connect to them, potentially leading to data exfiltration or lateral movement within enterprise networks.

The vulnerability stems from unsafe deserialization logic in the NMS AMQP client implementation. Although Apache introduced a mitigation mechanism in version 2.1.0 to restrict deserialization via allow/deny lists, this protection was later found to be bypassable under specific conditions.

“Although version 2.1.0 introduced a mechanism to restrict deserialization via allow/deny lists, the protection was found to be bypassable under certain conditions,” the advisory noted.

This means even users who had upgraded to 2.1.x or 2.3.x versions were still exposed to potential exploitation, especially when connecting to untrusted or third-party AMQP brokers.

Apache’s advisory also ties this issue to Microsoft’s broader move to deprecate binary serialization in .NET 9, citing the security risks associated with deserialization attacks.

“In line with Microsoft’s deprecation of binary serialization in .NET 9, the project is evaluating the removal of .NET binary serialization support from the NMS API entirely in future releases,” Apache stated.

Apache recommends that all users upgrade immediately to version 2.4.0 or later, which fully resolves the issue.

In addition to applying the patch, Apache advises developers to “migrate away from .NET binary serialization as part of a long-term hardening strategy.”

Organizations that cannot update immediately should ensure that connections are only established with trusted AMQP brokers and that network-level access controls are in place to limit exposure.

Related Posts:

• Spring AMQP Deserialization Vulnerability
• Critical Flaws Found in Siemens SINEC NMS: Privilege Escalation and Remote Code Execution Risks
• How Attackers Exploit and Then Patch a Vulnerability to Hide in Linux Systems
• CVE-2023-46604: Apache ActiveMQ Remote Code Execution Vulnerability
• Cybereason Uncovers Widespread Exploitation of Apache ActiveMQ Vulnerability