The vulnerability is an improper input validation that allows an attacker who can publish or modify LDAP entries matching the configured searchBase and searchFilter to instantiate denied transports inside the broker JVM. This can be used to retrieve an attacker‑controlled URL and launch a second BrokerService within the same JVM, effectively enabling remote code execution and arbitrary broker configuration.

Apache ActiveMQ Broker versions before 5.19.8 and from 6.0.0 up to 6.2.6, Apache ActiveMQ versions before 5.19.8 and from 6.0.0 up to 6.2.6, and Apache ActiveMQ All before 5.19.8 and from 6.0.0 up to 6.2.6.

The CVSS score is 7.5, and there is no EPSS available. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack requires an attacker who has LDAP publish or modify rights for entries that match the broker’s search base and filter. Once those rights are granted, the attacker can trigger the broker to instantiate a second BrokerService inside the same JVM, which can lead to remote code execution or unauthorized broker configuration. Because the vulnerability exploits input validation, a successful exploitation would depend on the attacker being able to write allowed LDAP entries, which is limited to systems with misconfigured or overly permissive LDAP write permissions.