OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement.
In real-world deployments, this service is often left enabled without changing the default
credentials. As a result, a remote attacker with access to the service port could authenticate
as an administrator and gain full control of the protocol’s administrative features.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 2
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Elipse Openmq
cpe:2.3:a:elipse:openmq:*:*:*:*:*:*:*:*
|
— | — |
|
Eclipse Openmq
cpe:2.3:a:eclipse:openmq:*:*:*:*:*:*:*:*
|
— | — |