CVE-2026-27446 Cert Portal CVE debrief

Who should care

Operators and defenders running Apache Artemis / Apache ActiveMQ Artemis, especially environments that expose the Core protocol to untrusted networks or permit outbound federation to untrusted targets. Siemens Opcenter RD&L deployments should also review broker exposure, because the supplied advisory ties the issue to that product context and specifically mentions port 61616 and data-center-only access assumptions.

Technical summary

The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). According to the advisory, an unauthenticated attacker can exploit the Core protocol to force a broker to establish an outbound Core federation connection to a rogue broker under attacker control. If the deployment allows both inbound untrusted Core connections and outbound untrusted Core federation, the attacker may inject messages into queues or exfiltrate messages via the rogue broker. CISA's referenced remediation includes upgrading Apache Artemis to 2.52.0 or later, removing Core support from acceptors that receive untrusted connections, using a Core interceptor to deny downstream federation connect packets, and enforcing two-way SSL so clients must authenticate before protocol handshake.

Defensive priority

High for any broker that matches the exposed topology described in the advisory; lower if Core is tightly restricted, outbound federation targets are trusted, and port 61616 is blocked from untrusted networks. The supplied advisory rates the issue CVSS 7.1 (High), but it also notes environment-specific limits in the Siemens deployment context.

Recommended defensive actions

• Upgrade Apache Artemis to version 2.52.0 or later.
• Remove Core protocol support from any acceptor that receives connections from untrusted sources; by default, the "artemis" acceptor on port 61616 supports Core unless the protocols parameter is restricted.
• Implement a Core interceptor to deny downstream federation connect packets.
• Require two-way SSL so clients must present a certificate before any message protocol handshake occurs.
• Review broker networking so incoming Core connections from untrusted sources and outgoing Core connections to untrusted targets are not both allowed.
• Verify queue integrity, federation settings, and broker logs for unexpected federation connections or message anomalies.
• Reassess Siemens Opcenter RD&L exposure assumptions, including data-center segmentation and blocking inbound access to port 61616 from outside trusted networks.

Evidence notes

All substantive claims are drawn from the supplied CISA CSAF advisory content and its referenced Siemens ProductCERT material. The source item was published on 2026-05-12 and republished on 2026-05-14 with Siemens ProductCERT advisory content. The advisory explicitly states the Core-protocol authentication weakness, the two-sided network condition required for impact, the suggested mitigations, and the Siemens-specific context that messages are schema-validated, contain no confidential information, and that inbound access to port 61616 should be blocked. No KEV entry is present in the supplied corpus.

Official resources