- Vulnerability/
- ZDI-25-266
ZDI-25-266: Apache ActiveMQ NMS Body Deserialization of Untrusted Data Remote Code Execution Vulnerability
First published: Wed Apr 30 2025(Updated: )
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apache ActiveMQ NMS. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2025-29953.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache ActiveMQ NMS OpenWire Client |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of ZDI-25-266?
The severity of ZDI-25-266 is evaluated as critical due to its potential to allow remote code execution.
How do I fix ZDI-25-266?
To fix ZDI-25-266, update Apache ActiveMQ NMS to the latest patched version as recommended by the vendor.
What versions of Apache ActiveMQ NMS are affected by ZDI-25-266?
ZDI-25-266 affects all versions of Apache ActiveMQ NMS that have not been patched.
What type of attacks are possible with ZDI-25-266?
ZDI-25-266 allows remote attackers to execute arbitrary code, which can lead to full system compromise.
Is user interaction required to exploit ZDI-25-266?
Yes, interaction with the affected library is required to exploit the ZDI-25-266 vulnerability.
- collector/zdi-published
- source/ZDI
- alias/ZDI-CAN-22235
- agent/references
- agent/title
- agent/last-modified-date
- agent/source
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- vendor/apache
- canonical/apache activemq nms openwire client