OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocol’s administrative features.
The management service based on the TCP protocol (imqbrokerd) is enabled by default and requires authentication, however the product is shipped with a predefined administrator account with credentials admin/admin. The system does not enforce a password change on first login or at any later time. After the first successful login, the server accepts the default password indefinitely, without warnings or mechanisms forcing its change. In practical deployments, this service is often left enabled without modification of the default authentication credentials.
An attacker with network access to the service port can authenticate as an administrator and gain full control over the administrative functions of the OpenMQ broker, which may lead to violations of confidentiality, integrity, and system availability.
The default administrator account password (admin/admin) should be immediately changed to a strong, unique password. Patches available from the vendor should be applied according to the references. Additionally, it is recommended to restrict network access to the imqbrokerd service port only to trusted hosts using a firewall and to audit all deployments for the use of default login credentials.
Eclipse OpenMQ — versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEclipse Openmq
APPEclipsewszystkie wersje
Related vulnerabilities
Path Traversal w Eclipse OpenMQ umożliwia odczyt plików i potencjalny RCE
An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Consol...
A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mech...
Eclipse Theia Website: RCE w CI/CD przez podatny trigger GitHub Actions
Eclipse Cyclone DDS — błędna weryfikacja czasu certyfikatu umożliwia eskalację uprawnień