The Apache Software Foundation has disclosed a critical vulnerability in its ActiveMQ NMS AMQP Client that could allow attackers to execute arbitrary code on vulnerable systems.

Tracked as CVE-2025-54539, this deserialization flaw poses a serious risk to applications relying on the client for messaging over AMQP protocols.

The issue was publicly detailed in an advisory on October 15, 2025, urging immediate upgrades to mitigate potential exploits.

The vulnerability stems from improper handling of untrusted data during connections to AMQP servers. Specifically, in versions up to and including 2.3.0, the client processes unbounded deserialization logic that malicious servers can abuse.

By crafting specially designed responses, attackers could trigger remote code execution on the client side, potentially compromising entire networks or applications.

This deserialization weakness has long been a vector for sophisticated attacks, as it bypasses typical input validation and directly manipulates object states in memory.

Apache ActiveMQ Vulnerability

Efforts to secure the client weren’t foolproof. Starting with version 2.1.0, Apache introduced allow and deny lists to restrict deserialization, aiming to limit what classes could be instantiated from incoming data.

However, security researchers at Endor Labs discovered that these controls could be circumvented under specific conditions, such as through cleverly nested objects or alternative serialization paths.

This bypass effectively nullified the protection, leaving users exposed to the full scope of the flaw. The discovery highlights the challenges in securing legacy serialization mechanisms, especially in .NET environments where binary formats have been a staple.

As .NET 9 deprecates binary serialization a move by Microsoft to curb similar risks Apache is now weighing the complete removal of this support from the NMS API in upcoming releases.

This shift aligns with broader industry trends toward safer alternatives like JSON or Protocol Buffers, reducing the attack surface for deserialization-based exploits.

Mitigations

To address CVE-2025-54539, Apache recommends upgrading to version 2.4.0 or later, where the deserialization logic has been fortified against these attacks.

For projects still tied to .NET binary serialization, migrating to modern formats is essential as a hardening measure.

Organizations using ActiveMQ in distributed systems, such as financial services or IoT infrastructures, should prioritize patching to prevent lateral movement by threat actors.

Discovered by Endor Labs’ Security Research Team, this vulnerability underscores the need for vigilant third-party dependency management.

With a CVSS score indicating important severity, unpatched instances could invite ransomware or data exfiltration.

Developers are advised to scan their supply chains and test connections to external AMQP brokers, ensuring no untrusted endpoints can influence client behavior.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Apache ActiveMQ Vulnerability Let Attackers Execute Arbitrary Code appeared first on Cyber Security News.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding a severe code execution vulnerability in Adobe Experience Manager Forms, urging organizations to patch immediately.

Tracked as CVE-2025-54253, this flaw affects the Java Enterprise Edition (JEE) version of the software and enables attackers to execute arbitrary code on vulnerable systems.

First disclosed by Adobe in early October 2025, the vulnerability has already been exploited in the wild, according to CISA’s Known Exploited Vulnerabilities Catalog.

Adobe Experience Manager Forms is a popular platform for creating and managing digital forms in enterprise environments, often used by businesses for customer interactions and document processing.

The unspecified nature of the vulnerability rated with a CVSS score of 9.8 out of 10 makes it particularly dangerous, as it requires no user interaction or authentication to trigger.

Attackers can leverage it to gain full control over affected servers, potentially leading to data theft, ransomware deployment, or further network compromise.

Exploitation and Real-World Impact

Reports indicate that threat actors have begun weaponizing CVE-2025-54253 in targeted attacks, though it’s unclear if ransomware groups are involved at this stage.

Security researchers from firms like Mandiant have observed exploitation attempts against unpatched instances hosted in cloud environments, where misconfigurations amplify the risk.

One notable incident involved a mid-sized financial services firm in Europe, where attackers used the flaw to deploy malware, resulting in a temporary service outage and data exfiltration.

CISA added the CVE to its catalog on October 15, 2025, emphasizing that federal agencies must apply mitigations by November 14 or discontinue use of the product.

This aligns with Binding Operational Directive 22-01, which mandates rapid response to actively exploited flaws in federal systems. Private sector organizations are also at high risk, especially those relying on Adobe’s suite for web content management.

Adobe has released patches for affected versions, including AEM Forms 6.5.13 and earlier. Users should apply updates promptly, enable multi-factor authentication, and segment networks to limit lateral movement.

For cloud deployments, following BOD 22-01 guidance is essential, including regular vulnerability scanning. This incident underscores the ongoing challenges in supply chain security, as Adobe products are integral to many digital ecosystems.

With exploitation confirmed, experts warn of potential escalation if patches lag. Organizations should prioritize auditing their AEM deployments to stay ahead of evolving threats.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns Of Adobe Experience Manager Forms 0-Day Vulnerability Exploited In Attacks appeared first on Cyber Security News.