Find notable cyber news and cases, enriched with sources, timelines, and signals.

Apache ActiveMQ CVE-2023-46604 exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 57
1 unique sources, 1 articles

Summary

Hide ▲

A heavy exploitation wave is targeting Apache ActiveMQ CVE-2023-46604, creating broad post-compromise risk for cloud Linux systems. Multiple threat actors are using the flaw to deploy payloads such as HelloKitty ransomware, Linux rootkits, GoTitan botnet malware, and Godzilla web shell. In some attacks, operators modify sshd to enable root login and use Sliver or Cloudflare Tunnels for covert control. Attackers have also been observed patching the exploited flaw after access, which helps them block rival exploitation and preserve persistence.

Related Happenings

Marimo CVE-2026-39987 exploitation wave

Exploitation Wave
H score51 First: 12.04.2026 17:20 Last: 12.04.2026 17:20 Sources 1

About this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...

UNC6485 Triofox CVE-2025-12480 exploitation campaign

Campaign
H score40 First: 10.11.2025 22:49 Last: 10.11.2025 22:49 Sources 1

About this happening: The **UNC6485** campaign is actively exploiting **CVE-2025-12480** in **Gladinet Triofox**, turning a patched flaw into unauthorized access and post-exploitation footholds. The ac...

XWiki eval injection actively exploited remote code execution flaw (CVE-2025-24893)

Vulnerability
H score56 First: 29.10.2025 09:44 Last: 29.10.2025 09:44 Sources 1

About this happening: The **XWiki** eval injection flaw **CVE-2025-24893** is being **actively exploited**, putting exposed servers at risk of **remote code execution** via **/bin/get/Main/SolrSearch**...

Jenkins server actively exploited security flaw (CVE-2024-23897)

Vulnerability
H score0 First: 16.10.2025 17:28 Last: 16.10.2025 17:28 Sources 1

About this happening: In an **AWS-hosted environment**, **CVE-2024-23897** on an **exposed Jenkins server** was used as the initial foothold, creating an intrusion path that led to malware deployment o...

ShadowV2 cloud-native DDoS botnet activity

Malware Activity
H score31 First: 23.09.2025 23:35 Last: 23.09.2025 23:35 Sources 1

About this happening: The **ShadowV2** **DDoS-for-hire botnet** is actively being used against websites, and its cloud-native design makes it harder to detect and disrupt. It targets **Internet-exposed...

Timeline

  1. 19.08.2025 20:37 1 articles · 10mo ago

    Apache ActiveMQ CVE-2023-46604 exploitation with DripDropper

    Technical Analysis Update

    Threat actors are exploiting CVE-2023-46604 in Apache ActiveMQ to gain persistent access to cloud Linux systems, modify sshd configurations to enable root login, and deploy the DripDropper downloader. The activity includes covert command and control through Sliver and Cloudflare Tunnels, attacker-controlled Dropbox communications, and a final step that downloads Apache Maven patches for CVE-2023-46604 after access is established, allowing the operators to block rival exploitation while preserving their own persistence.

    Show sources