Skip to content

CVE Reservation for Admin account has weak default password (chained issue #324)

The Eclipse Foundation is a Common Vulnerabilities and Exposures (CVE) Numbering Authority. This issue it used to request and track the progress of the assignment of a CVE for a vulnerability in the project code for an Eclipse open source project. Issue reported Dec 2 2025 by Camilo G.

Basic information

Project name: Eclipse OpenMQ

Project id: {id}

Request type: reservation

Versions affected: All Versions

Common Weakness Enumeration:

Common Vulnerability Scoring System: {cvss 9.8} (CRITICAL)

Summary:

OpenMQ, exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement.

In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocol’s administrative features. This also enables practical exploitation of authenticated-only vulnerabilities in the same protocol surface (see related AFR advisory VUL-EE4J-002).

Links:

Credits:

Camilo G. AkA Dedalo (DeepSecurity Perú)

Tracking

This section will completed by the project team.

  • Reserve an entry only
  • We're ready for this issue to be reported to the central authority (i.e., make this public now)
  • (when applicable) The GitHub Security Advisory is ready to be published now

Note that for those projects that host their repositories on GitHub, the use of GitHub Security Advisories is recommended but is not required.

This section will be completed by the EMO.

CVE: {cve}

  • All required information is provided
  • CVE Assigned
  • Pushed to Mitre
  • Accepted by Mitre
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Copyright © Eclipse Foundation AISBL. All rights reserved.     Privacy Policy | Terms of Use | Copyright Agent