Apache ActiveMQ exposes a Jolokia JMX–HTTP bridge that, by default, allows authenticated actors to issue exec operations on all ActiveMQ MBeans, including BrokerService.addNetworkConnector(String). When a crafted discovery URI is supplied, the underlying VM transport uses a masterslave:// URL that triggers a Spring XML application context, and before the broker validates the configuration, Spring instantiates singleton beans. This enables arbitrary code execution in the broker’s JVM via bean factory methods such as Runtime.exec(), providing full control over the host. The weakness resides in improper input validation (CWE‑20) and improper control of code generation (CWE‑94).

Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ are affected for versions before 5.19.7 and from 6.0.0 up to and including 6.2.5 (i.e., before 6.2.6). These builds expose a Jolokia endpoint that allows authenticated users to execute operations on broker MBeans.

The vulnerability is enabled by the default Jolokia policy and requires only that the attacker authenticate against the broker. Because the exploit leverages Java code parsing and bean instantiation, once the attacker succeeds they obtain a full local execution environment on the broker’s host. The CVSS score of 8.1 indicates high severity, while the EPSS score of < 1% suggests a low probability of exploitation in the wild. No publicly known exploit is listed by CISA KEV. The likely attack vector is an authenticated user exploiting the /api/jolokia/ endpoint.