Full Report
Opcenter RDnL is affected by missing authentication in critical function in ‘ActiveMQ Artemis’. An unauthenticated attacker within the adjacent network could use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in availability impacts or message injection into any queue via the rogue broker. Breaking the integrity of a message has a low impact due to missing auto refresh functionality and it does not contain any confidential information. ActiveMQ Artemis has released a new version and Siemens recommends to update to the latest version.
Analysis Summary
# Vulnerability: Missing Authentication in ActiveMQ Artemis (Opcenter RDnL)
## CVE Details
- **CVE ID:** CVE-2026-27446
- **CVSS Score:**
- **Base (Global):** 9.8 (Critical) | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- **Base (Product-Specific/RDnL):** 7.1 (High) | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
- **CWE:** CWE-306 (Missing Authentication for Critical Function)
## Affected Systems
- **Products:** Opcenter RDnL (formerly SIMATIC IT R&D Suite)
- **Versions:** All versions utilizing Apache Artemis versions prior to V2.52.0.
- **Configurations:** Systems allowing incoming Core protocol connections from untrusted sources and outgoing Core protocol connections to untrusted targets.
## Vulnerability Description
A flaw exists in the Apache ActiveMQ Artemis Core protocol where critical functions lack proper authentication. An unauthenticated attacker can manipulate the Core protocol to force a target broker to initiate an outbound "Core federation" connection to a rogue, attacker-controlled broker. Once the connection is established, the attacker can inject messages into any queue or exfiltrate messages from the broker.
In the specific context of **Opcenter RDnL**, the impact is slightly mitigated because the messages do not contain confidential information and schemas are validated; however, availability and message integrity (e.g., UI refresh functionality) remain at risk.
## Exploitation
- **Status:** Not explicitly stated as exploited in the wild; no PoC linked in advisory.
- **Complexity:** Low
- **Attack Vector:**
- **General:** Network
- **Opcenter RDnL Specific:** Adjacent (requires access to the Data Center network).
## Impact
- **Confidentiality:** None to High (Low/None for Opcenter RDnL specifically).
- **Integrity:** Low to High (Low for Opcenter RDnL due to schema validation).
- **Availability:** High (Potential for service disruption via rogue broker interaction).
## Remediation
### Patches
- **Apache ActiveMQ Artemis:** Update to **version 2.52.0** or later.
- **Siemens Opcenter RDnL:** Siemens recommends updating the underlying Apache Artemis component to V2.52.0 or later.
### Workarounds
1. **Core Interceptor:** Deploy a Core interceptor to deny all Core downstream federation connect packets (Packet type `(int) -16` or `(byte) 0xfffffff0`).
2. **Two-Way SSL:** Enforce certificate-based authentication (Mutual TLS) to ensure only trusted clients can establish a connection before the protocol handshake.
3. **Disable Core Protocol:** Remove Core protocol support from any "acceptors" (typically port 61616) that receive traffic from untrusted sources.
## Detection
- **Indicators of Compromise:** Unusual outbound connection attempts from the ActiveMQ broker to unknown or external IP addresses on Core protocol ports.
- **Detection Methods:**
- Monitor network logs for unauthorized Core protocol handshakes.
- Inspect ActiveMQ configuration (acceptors) for the presence of the Core protocol on untrusted network interfaces.
- Audit for the presence of unexpected federation configurations.
## References
- **Siemens Security Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-085541[.]html
- **ActiveMQ Documentation (Interceptors):** hxxps://artemis[.]apache[.]org/components/artemis/documentation/latest/intercepting-operations[.]html
- **Industrial Security Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security