Eclipse OpenMQ Default Password Vulnerability in Administrative Account

Vulnerability

A vulnerability exists in Eclipse OpenMQ's TCP-based management service (imqbrokerd), which requires authentication but is shipped with a default administrative account (admin/admin) and no mandatory password change on first use. After the initial login, the default password is accepted indefinitely, creating a risk for remote attackers with access to the service port to authenticate as administrators and gain full control over the administrative features. This vulnerability affects all versions of OpenMQ.

Impact

Exploitation of this vulnerability allows remote authentication as an administrator, granting full control over the protocol's administrative features. This also enables the exploitation of other authenticated-only vulnerabilities within the same protocol surface.

Added: Mar 3, 2026, 10:18 AM

Updated: Mar 3, 2026, 10:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Eclipse OpenMQ Default Password Vulnerability in Administrative Account

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating