• Home
  • cyber
  • Apache Software Foundation: Apache ActiveMQ Vulnerability Allows Attackers to Trigger DoS Attacks with Malformed Packets
cyber Vulnerability

Apache Software Foundation: Apache ActiveMQ Vulnerability Allows Attackers to Trigger DoS Attacks with Malformed Packets

Mar 3, 2026 3 min read
Apache Software Foundation: Apache ActiveMQ Vulnerability Allows Attackers to Trigger DoS Attacks with Malformed Packets

Critical DoS Vulnerability in Apache ActiveMQ Exposes Systems to Disruption

A severe vulnerability in Apache ActiveMQ, a widely used open-source message broker, has been disclosed, allowing threat actors to trigger Denial-of-Service (DoS) conditions by exploiting improper validation in MQTT packet handling. Tracked as CVE-2025-66168, the flaw affects multiple ActiveMQ components, including the core broker, All module, and MQTT transport module.

The vulnerability was reported by Christopher L. Shannon on March 3, 2026, via the Apache users mailing list. ActiveMQ, which facilitates communication between distributed systems using protocols like MQTT, AMQP, and OpenWire, is particularly critical in IoT deployments and microservices architectures.

The issue stems from improper validation of the “remaining length” field in MQTT control packets. According to the MQTT v3.1.1 specification, this field is limited to four bytes to prevent overflow. However, affected ActiveMQ versions fail to enforce this restriction, allowing attackers to craft malformed packets that trigger an integer overflow during decoding. This causes the broker to misinterpret the payload, leading to resource exhaustion or service disruption.

Exploitation requires an authenticated MQTT session, meaning attackers must first establish a valid connection. While the flaw does not enable remote code execution or data breaches, it can cripple message delivery, disrupting IoT networks and microservices reliant on ActiveMQ. Systems not using MQTT transport connectors remain unaffected.

The vulnerability impacts the following versions:

  • Apache ActiveMQ (core): Before 5.19.2, 6.0.0–6.1.8, and 6.2.0
  • Apache ActiveMQ All Module: Before 5.19.2, 6.0.0–6.1.8, and 6.2.0
  • Apache ActiveMQ MQTT Module: Before 5.19.2, 6.0.0–6.1.8, and 6.2.0

Apache has released patches in versions 5.19.2, 6.1.9, and 6.2.1, which enforce proper validation of the “remaining length” field to prevent overflow. The flaw highlights the risks of protocol parsing oversights in message brokers, which can lead to widespread availability issues in connected systems.

Source: https://cyberpress.org/apache-activemq-vulnerability/

The Apache Software Foundation cybersecurity rating report: https://www.rankiteo.com/company/the-apache-software-foundation

"id": "THE1772800402",
"linkid": "the-apache-software-foundation",
"type": "Vulnerability",
"date": "3/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"
{'affected_entities': [{'customers_affected': 'Users of affected versions '
                                              '(5.x, 6.0.x, 6.1.x, 6.2.0)',
                        'industry': 'Software/Technology',
                        'name': 'Apache ActiveMQ',
                        'type': 'Open-source message broker'}],
 'attack_vector': 'Authenticated MQTT session with malformed packets',
 'date_detected': '2026-03-03',
 'description': 'A severe vulnerability in Apache ActiveMQ, a widely used '
                'open-source message broker, has been disclosed, allowing '
                'threat actors to trigger Denial-of-Service (DoS) conditions '
                'by exploiting improper validation in MQTT packet handling. '
                'The flaw, tracked as CVE-2025-66168, affects multiple '
                'ActiveMQ components, including the core broker, All module, '
                'and MQTT transport module. The issue stems from improper '
                "validation of the 'remaining length' field in MQTT control "
                'packets, leading to integer overflow and resource exhaustion '
                'or service disruption.',
 'impact': {'downtime': 'Potential service disruption',
            'operational_impact': 'Disruption of message delivery in IoT '
                                  'networks and microservices',
            'systems_affected': 'Apache ActiveMQ (core, All module, MQTT '
                                'transport module)'},
 'lessons_learned': 'Highlights risks of protocol parsing oversights in '
                    'message brokers, which can lead to widespread '
                    'availability issues in connected systems.',
 'post_incident_analysis': {'corrective_actions': 'Patches released to enforce '
                                                  'proper validation',
                            'root_causes': 'Improper validation of MQTT '
                                           "'remaining length' field leading "
                                           'to integer overflow'},
 'recommendations': 'Upgrade to patched versions (5.19.2, 6.1.9, 6.2.1) and '
                    'enforce strict MQTT packet validation.',
 'references': [{'source': 'Apache users mailing list'}],
 'response': {'containment_measures': 'Patches released (versions 5.19.2, '
                                      '6.1.9, 6.2.1)',
              'remediation_measures': 'Enforce proper validation of MQTT '
                                      "'remaining length' field"},
 'title': 'Critical DoS Vulnerability in Apache ActiveMQ Exposes Systems to '
          'Disruption',
 'type': 'Denial-of-Service (DoS)',
 'vulnerability_exploited': 'CVE-2025-66168'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.