CVE-2023-37582

CRITICAL EXPLOITED IN THE WILD NUCLEI

Apache RocketMQ - Remote Command Execution

Title source: nuclei
STIX 2.1

Exploitation Summary

CVE-2023-37582 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 3 public exploits from researchers including Malayke, shoucheng3, laishouchao. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2023-37582, an arbitrary file write vulnerability in Apache RocketMQ's nameserver. It sends a crafted JSON payload to write a file to `/tmp/pwned` via the UPDATE_NAMESRV_CONFIG request.

Description

The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the update configuration function on the NameServer component to execute commands as the system users that RocketMQ is running as. It is recommended for users to upgrade their NameServer version to 5.1.2 or above for RocketMQ 5.x or 4.9.7 or above for RocketMQ 4.x to prevent these attacks.

Exploits (3)

nomisec WORKING POC 45 stars
by Malayke · remote
https://github.com/Malayke/CVE-2023-37582_EXPLOIT

This PoC exploits CVE-2023-37582, an arbitrary file write vulnerability in Apache RocketMQ's nameserver. It sends a crafted JSON payload to write a file to `/tmp/pwned` via the UPDATE_NAMESRV_CONFIG request.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Apache RocketMQ nameserver (version 4.9.6 and earlier)
No auth needed
Prerequisites: Network access to the RocketMQ nameserver port (default 9876)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by shoucheng3 · poc
https://github.com/shoucheng3/apache__rocketmq_CVE-2023-37582_4-9-6

This repository contains the source code and documentation for Apache RocketMQ, specifically focusing on the ACL (Access Control List) module. It does not include an exploit PoC for CVE-2023-37582 but provides the codebase where the vulnerability may exist.

Classification
Writeup 90%
Attack Type
Other
Complexity
Complex
Reliability
Theoretical
Target: Apache RocketMQ (version not specified in provided files)
No auth needed
Prerequisites: Access to vulnerable Apache RocketMQ instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by laishouchao · poc
https://github.com/laishouchao/Apache-RocketMQ-RCE-CVE-2023-37582-poc

This PoC is a scanner for CVE-2023-37582, an RCE vulnerability in Apache RocketMQ. It sends a crafted payload to check if the target is vulnerable by matching the version number in the response.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache RocketMQ
No auth needed
Prerequisites: Network access to the target RocketMQ instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache RocketMQ - Remote Command Execution
CRITICALVERIFIEDby daffainfo
Shodan: rocketmq port:"9876"

References (2)

Core 2
Core References
Mailing List, Patch, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/07/12/1
Mailing List, Patch, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/m614czxtpvlztd7mfgcs2xcsg36rdbnc

Scores

CVSS v3 9.8
EPSS 0.9400
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2024-09-18
InTheWild.io 2024-09-18
CWE
CWE-94
Status published
Products (2)
apache/rocketmq < 4.9.6
org.apache.rocketmq/rocketmq-namesrv 0 - 4.9.7Maven
Published Jul 12, 2023
Tracked Since Feb 18, 2026