← Broadside
RSS →

cui/regulator/

Siemens Opcenter RDnL carries critical ActiveMQ auth flaw; patch now

All versions are affected; three mitigations are available while update packages roll out.

cui

Editorial brief

CISA published ICS advisory ICSA-26-134-09 covering CVE-2026-27446, a CVSS 7.1 missing-authentication flaw (CWE-306) in Apache ActiveMQ Artemis as shipped with Siemens Opcenter RDnL. All versions are affected. An adjacent-network attacker can force the broker to open an outbound Core federation connection to an attacker-controlled host, enabling message injection or exfiltration on any queue. Siemens recommends updating to Apache Artemis 2.52.0 or later; three interim mitigations cover Core interceptors, acceptor protocol restriction, and two-way SSL. Opcenter RDnL sits in critical manufacturing environments worldwide.

CVE-2026-27446 lives in the Core protocol layer that ActiveMQ Artemis exposes by default on port 61616. The attack path requires adjacency, not internet exposure, but no credentials: an attacker already on the adjacent network sends a federation connect packet (type int -16 / byte 0xf0) to trick the broker into dialing out to an attacker-controlled host. Once that outbound connection exists, the rogue broker can push arbitrary messages into any queue or drain messages out of one.

CVSS 3.1 scores this at 7.1 HIGH (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H). Confidentiality impact is rated none because Opcenter RDnL queues do not carry confidential data per Siemens ProductCERT; integrity impact is rated low because the product lacks auto-refresh, limiting downstream effect of injected messages. Availability is the primary concern.

Affected scope: every released version of Siemens Opcenter RDnL (vers:all/*). Opcenter RDnL is a recipe and development lifecycle tool deployed in critical manufacturing sectors globally.

Remediation options, in order of preference:

  1. Update to Apache Artemis 2.52.0 or later. Siemens has released a vendor fix tied to this upstream version; confirm the specific Opcenter RDnL package version in Siemens ProductCERT's advisory before applying.
  2. Deploy a Core interceptor to drop all downstream federation connect packets (type -16 / 0xf0). Apache Artemis interceptor documentation is at artemis.apache.org.
  3. Remove Core protocol support from any acceptor that receives connections from untrusted sources. The default "artemis" acceptor on port 61616 enables all protocols unless the protocols URL parameter is set explicitly.
  4. Enforce two-way SSL on all acceptors so that unauthenticated clients cannot complete a handshake before the Core protocol exchange begins.

Options 2 through 4 are mitigations, not fixes. If your Opcenter RDnL deployment cannot take the update immediately, apply at least one of the three and network-segment the broker from untrusted adjacency until patching is complete.

Published ·Updated ·Deep Fathom