Description
OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocol’s administrative features.
Scores
CVSS v3
9.8
EPSS
0.0020
EPSS Percentile
41.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-1391
CWE-1392
CWE-1393
Status
published
Products (3)
eclipse/openmq
Eclipse Foundation/Eclipse OpenMQ
elipse/openmq
Published
Mar 03, 2026
Tracked Since
Mar 03, 2026