CVE-2022-41678

HIGH NUCLEI

Apache ActiveMQ Jolokia - Authenticated MBean Code Execution

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2022-41678. PoCs published by URJACK2025, mbadanoiu, Catherines77. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional exploit for CVE-2022-41678, targeting Apache ActiveMQ via JMX to write a JSP webshell. It supports both Log4j and JFR-based exploitation methods.

Description

Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through refection. This could lead to RCE through via various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11. 1 Call newRecording. 2 Call setConfiguration. And a webshell data hides in it. 3 Call startRecording. 4 Call copyTo method. The webshell will be written to a .jsp file. The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.

Exploits (3)

nomisec WORKING POC 2 stars
by URJACK2025 · poc
https://github.com/URJACK2025/CVE-2022-41678

This is a functional exploit for CVE-2022-41678, targeting Apache ActiveMQ via JMX to write a JSP webshell. It supports both Log4j and JFR-based exploitation methods.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ (versions with vulnerable Log4j/JFR configurations)
Auth required
Prerequisites: JMX interface enabled · Valid ActiveMQ credentials · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 2 stars
by mbadanoiu · poc
https://github.com/mbadanoiu/CVE-2022-41678

This repository provides a detailed writeup and references for CVE-2022-41678, which involves dangerous MBeans accessible via the Jolokia API in Apache ActiveMQ. The vulnerability allows arbitrary file write/read, SSRF, and RCE through Log4J and Java Flight Recorder vectors.

Classification
Writeup 90%
Attack Type
Rce | Info Leak | Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ (versions prior to 5.17.3 and 5.18.0)
Auth required
Prerequisites: Valid credentials for user with 'admin' role · Access to Jolokia API endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Catherines77 · poc
https://github.com/Catherines77/ActiveMQ-EXPtools

This repository contains a functional exploit tool for multiple Apache ActiveMQ vulnerabilities, including CVE-2022-41678. It includes a GUI-based application with panels for different CVEs, environment detection, and exploit execution capabilities.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache ActiveMQ
Auth required
Prerequisites: target URL · authentication credentials for authenticated exploits
devstral-2 · analyzed Apr 20, 2026 Full analysis →

Nuclei Templates (1)

Apache ActiveMQ < 5.16.5/5.17.3 - Remote Code Execution
HIGHVERIFIEDby maciejklimek
Shodan: http.title:"ActiveMQ"
FOFA: title="ActiveMQ"

References (5)

Core 5

Scores

CVSS v3 8.8
EPSS 0.9300
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-287
Status published
Products (2)
apache/activemq < 5.16.6
org.apache.activemq/apache-activemq 0 - 5.16.6Maven
Published Nov 28, 2023
Tracked Since Feb 18, 2026