Unauthenticated RCE in Apache RocketMQ update configuration
CVE-2023-33246 is a remote command execution vulnerability in Apache RocketMQ affecting versions 5.1.0 and earlier, with corresponding 4.x releases addressed in 4.9.6. Under certain conditions, exposed RocketMQ components including NameServer, Broker, and Controller can be reached without adequate permission verification. An attacker can abuse the update configuration function to inject a malicious value, including setting configuration such as rocketmqHome to shell command content, causing RocketMQ to execute attacker-controlled commands as the operating system user running the service. The issue can also be triggered by forging RocketMQ protocol content. Public reporting and observed exploitation show attackers sending crafted RocketMQ protocol requests, including requests invoking configuration update behavior, to achieve command execution and deploy follow-on payloads such as miners or botnet malware.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (5 hidden).
This repository is a proof-of-concept exploit for CVE-2023-33246, targeting Apache RocketMQ (version 4.9.1 as per the Maven dependency). The main exploit logic is implemented in 'src/main/java/org/example/Main.java'. The exploit attempts to update the configuration of RocketMQ brokers at three hardcoded IP addresses by injecting a malicious value into the 'rocketmqHome' property. The payload is designed to execute a shell command on the target, which pings a unique domain (chr17sz2vtc0000ymdaggehyuhhyyyyyb.oast.fun) for out-of-band detection of successful command execution. The repository includes standard Java project files and Maven configuration, with the exploit code as the main entry point. No framework is used; this is a standalone Java POC. The attack vector is network-based, requiring access to the RocketMQ broker's management interface.
This repository provides an operational exploit and detection toolkit for CVE-2023-33246, a remote code execution vulnerability in Apache RocketMQ (versions 5.1.0 and below). The main exploit script, 'CVE-2023-33246_RocketMQ_RCE_EXPLOIT.py', crafts and sends a malicious RocketMQ protocol message to a specified broker IP and port (default 10911), injecting arbitrary system commands via the configuration update mechanism. The exploit is executed over a raw TCP connection and can run any command as the RocketMQ service user. The repository also includes 'check.py', a multi-threaded scanner that can check single IPs, files of targets, or CIDR ranges for vulnerable RocketMQ instances, defaulting to port 9876 (nameserver) but configurable. The README provides detailed usage instructions, detection guidance, and mitigation advice. No hardcoded C2 or external endpoints are present in the code, but the exploit is capable of executing arbitrary commands, including those that may reach out to attacker-controlled infrastructure. The repository is structured for both exploitation and detection, with clear separation between the exploit and scanning logic.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote code execution vulnerability in Apache RocketMQ broker affecting the exposed RocketMQ 4.3.2 instance discussed in the report.
An Apache RocketMQ remote command execution vulnerability affecting RocketMQ versions 5.1.0 and earlier, caused by improper validation in an update configuration function that lets unauthenticated attackers modify broker configuration and execute arbitrary commands.
Critical remote command execution vulnerability in Apache RocketMQ. Initially patched in May 2023, but the fix was incomplete for the NameServer component, leaving versions 5.1 and older affected when NameServer is exposed without proper permission checks.
Earlier Apache RocketMQ NameServer-related Remote Code Execution vulnerability that was patched in May 2023 but described as not fully addressing the underlying issue later tracked as CVE-2023-37582.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.