Apache ActiveMQ flaw lets authenticated users trigger malformed-packet attacks on MQTT-enabled brokers
3 min. read 
Published on
Apache ActiveMQ has patched a vulnerability in its MQTT transport that can let an authenticated attacker send malformed packets and trigger unexpected broker behavior. The bug, tracked as CVE-2025-66168, affects brokers with MQTT transport connectors enabled, and Apache says users should upgrade to fixed releases as soon as possible.
The flaw sits in how ActiveMQ parses the MQTT remaining length field. Apache says the broker does not properly validate that value, which can cause an integer overflow during decoding and lead the broker to misread one malformed payload as multiple MQTT control packets. That behavior breaks the MQTT 3.1.1 rules and can disrupt broker operation when handling non-compliant clients.
One important detail narrows the exposure. Apache says the issue happens after authentication on an established connection, and systems that do not enable MQTT transport connectors are not impacted by this vulnerability.
What the bug does
| Item | Detail |
|---|---|
| CVE | CVE-2025-66168 |
| Component | Apache ActiveMQ MQTT transport |
| Issue type | Improper validation leading to integer overflow |
| Attack requirement | Authenticated connection |
| Affected setups | Brokers with MQTT transport enabled |
| Fixed versions | 5.19.2, 6.1.9, 6.2.1 |
Apache’s CVE record says the malformed packet can cause ActiveMQ to compute the remaining length incorrectly, which then makes the broker interpret the payload as several MQTT control packets instead of one. In practical terms, that can trigger erratic broker behavior and open the door to denial-of-service style disruption against exposed MQTT-enabled deployments.
Affected versions
Apache says the issue affects:
- All versions before 5.19.2
- Versions 6.0.0 through 6.1.8
- Version 6.2.0
Fixed versions
Apache recommends upgrading to:
- 5.19.2
- 6.1.9
- 6.2.1
Severity note
There is one nuance worth calling out. The Apache Software Foundation scored the flaw 5.4 Medium with a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, while the NVD enrichment page currently shows a higher 8.8 High score on its side. The vendor score is the official CNA assessment for this CVE, so that is the one most closely tied to Apache’s own disclosure.
Why this matters
This is not a pre-auth remote takeover bug, but it still matters for organizations that expose MQTT in ActiveMQ for IoT, messaging, or brokered device traffic. If an attacker can authenticate, malformed packets may be enough to destabilize message handling and create service disruption on affected brokers. That makes the bug especially relevant for environments where MQTT clients connect from many devices or less-trusted segments. This last point is an inference from the attack conditions Apache described.
What admins should do now
- Upgrade ActiveMQ to 5.19.2, 6.1.9, or 6.2.1.
- Check whether MQTT transport connectors are enabled on any broker instances.
- If you cannot patch immediately, disable MQTT transport where possible until you can upgrade. This is a reasonable mitigation based on Apache’s statement that brokers without MQTT transport enabled are not affected.
- Review authenticated MQTT client access and reduce unnecessary accounts or connectors.
FAQ
It is an Apache ActiveMQ vulnerability in the MQTT module caused by improper validation of the MQTT remaining length field.
Apache says the scenario occurs on established connections after authentication, so it is not described as an unauthenticated attack.
No. Apache says brokers that do not enable MQTT transport connectors are not impacted.
Apache recommends 5.19.2, 6.1.9, or 6.2.1.
Apache’s official CVE text describes “unexpected behavior” and malformed packet handling problems rather than using a narrow DoS-only label. Service disruption is a fair description, but the safest phrasing is to follow Apache’s wording.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages