CVE-2020-11998

CRITICAL

Apache ActiveMQ JMX RMIConnectorServer - Remote Code Execution

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-11998. PoCs published by shoucheng3.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2020-11998, a deserialization vulnerability in Apache ActiveMQ. The exploit targets the AMQP protocol implementation, specifically the frame parsing logic, to achieve remote code execution.

Description

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html "A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code." Mitigation: Upgrade to Apache ActiveMQ 5.15.13

Exploits (1)

nomisec WORKING POC

by shoucheng3 · poc

https://github.com/shoucheng3/apache__activemq_CVE-2020-11998_5-15-12

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2020-11998, a deserialization vulnerability in Apache ActiveMQ. The exploit targets the AMQP protocol implementation, specifically the frame parsing logic, to achieve remote code execution.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Apache ActiveMQ versions affected by CVE-2020-11998

No auth needed

Prerequisites: Network access to the target ActiveMQ instance · AMQP protocol enabled on the target

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Core References

Vendor Advisory x_refsource_misc

http://activemq.apache.org/security-advisories.data/CVE-2020-11998-announcement.txt

Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujan2021.html

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737624d63162df36d%40%3Ccommits.activemq.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r946488fb942fd35c6a6e0359f52504a558ed438574a8f14d36d7dcd7%40%3Ccommits.activemq.apache.org%3E

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com//security-alerts/cpujul2021.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuoct2021.html

Scores

CVSS v3 9.8

EPSS 0.5122

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (9)

apache/activemq 5.15.12

oracle/communications_diameter_signaling_router 8.0.0 - 8.5.0

oracle/communications_element_manager 8.2.0 - 8.2.4.0

oracle/communications_session_report_manager 8.0.0 - 8.2.2

oracle/communications_session_route_manager 8.0.0 - 8.2.2

oracle/enterprise_repository 11.1.1.7.0

oracle/flexcube_private_banking 12.0.0

oracle/flexcube_private_banking 12.1.0

org.apache.activemq/activemq-parent 5.15.12 - 5.15.13Maven

Published Sep 10, 2020

Tracked Since Feb 18, 2026