CVE-2016-3088

What Is Apache ActiveMQ?

Apache ActiveMQ is one of the most widely deployed open-source message brokers, implementing the Java Message Service (JMS) specification and supporting AMQP, MQTT, STOMP, and other messaging protocols. It is a foundational middleware component in enterprise Java application stacks — used for asynchronous communication between microservices, event streaming, task queuing, and integration pipelines. ActiveMQ installations are pervasive in financial services, healthcare, telecommunications, and e-commerce environments.

ActiveMQ ships with an optional web-based file management interface called the Fileserver web application, accessible via HTTP and intended to allow users to upload and manage files for use in broker configurations. This component became the attack surface for CVE-2016-3088.

Overview

CVE-2016-3088 is a critical remote code execution vulnerability in the Fileserver web application bundled with Apache ActiveMQ. An unauthenticated attacker can upload an arbitrary file (including a web shell or JSP backdoor) via an HTTP PUT request, then move it to a web-deployable location using an HTTP MOVE request. The moved file is then executable via a subsequent HTTP GET request, giving the attacker full OS-level code execution on the ActiveMQ server. Apache disabled the Fileserver application by default in ActiveMQ 5.14.0 (May 2016) and removed it entirely in later versions. CISA added CVE-2016-3088 to the inaugural KEV catalog batch in February 2022, reflecting widespread ongoing exploitation.

Affected Versions

Technical Details

Root Cause: Unrestricted File Upload via HTTP WebDAV-Style Verbs

CVE-2016-3088 is an unrestricted file upload vulnerability (CWE-434) in the ActiveMQ Fileserver web application. The Fileserver is a simple HTTP-based file manager that accepts HTTP PUT requests to upload files into the ActiveMQ data directory and HTTP MOVE requests (a WebDAV method) to relocate uploaded files to arbitrary paths on the filesystem.

The exploitation sequence:

1. Upload a web shell via HTTP PUT — the attacker sends an HTTP PUT request to the Fileserver endpoint with a JSP web shell as the request body. The JSP imports java.io and passes a query parameter directly to Runtime.getRuntime().exec(), enabling arbitrary OS command execution.

2. Move the file to a deployable path via HTTP MOVE — the attacker sends an HTTP MOVE request (a WebDAV method) to relocate the uploaded file from the Fileserver data directory into the ActiveMQ web application directory (e.g. /admin/), making it accessible as a live JSP page via the web console.

3. Execute arbitrary commands via the web shell — the attacker issues a GET request to the deployed JSP with a cmd query parameter. The JSP executes the value via the Java runtime and returns the output, giving full OS-level command execution.

The process runs as the user executing ActiveMQ — frequently root or a high-privilege service account in enterprise deployments.

No Authentication Required

The Fileserver endpoint in vulnerable ActiveMQ versions does not enforce authentication for HTTP PUT and MOVE operations, enabling exploitation directly from the network without credentials.

Attack Characteristics

Discovery

The vulnerability class (HTTP PUT + MOVE file upload to web shell) was a known attack pattern against WebDAV-enabled web servers. Apache developers identified and disabled the Fileserver by default in ActiveMQ 5.14.0 (May 2016). The CVE was formally published June 1, 2016.

Exploitation Context

• Cryptominer deployment: CVE-2016-3088 became a primary vector for deploying cryptocurrency miners (Monero XMRig and variants) against exposed ActiveMQ instances; the CVSS 9.8 / no-auth rating made it ideal for mass exploitation campaigns
• Mass internet scanning: Tools like Shodan and Censys routinely index exposed ActiveMQ web console ports (8161/tcp); automated exploitation scripts targeting CVE-2016-3088 circulated widely after the vulnerability was documented, enabling mass scanning and exploitation
• ActiveMQ exposure breadth: ActiveMQ instances are frequently internet-facing due to misconfiguration or deployment in DMZ environments for message broker federation; the default HTTP console on port 8161 often remains accessible
• Ongoing exploitation relevance: Apache ActiveMQ has remained a target for RCE exploitation through newer vulnerabilities (CVE-2023-46604, "NotEvil"), demonstrating persistent attacker interest in message broker infrastructure; CVE-2016-3088 was the earlier instance of this pattern
• CISA KEV (2022): Added February 10, 2022 in the inaugural CISA KEV batch, alongside other long-exploited vulnerabilities

Remediation

1. Upgrade to Apache ActiveMQ 5.15.6 or later — the Fileserver web application is completely removed. This is the definitive fix.

2. If upgrade is not immediately possible, disable the Fileserver — in ActiveMQ 5.14.0+, the Fileserver is disabled by default; for earlier versions, remove or disable the fileserver web application from the webapps/ directory in the ActiveMQ installation.

3. Restrict network access to the ActiveMQ web console — firewall port 8161 (HTTP) and 8162 (HTTPS) to allow access only from authorized administrator IP addresses. The ActiveMQ web console should never be internet-accessible.

4. Enable ActiveMQ authentication — configure username/password authentication for the ActiveMQ console and broker connections; review conf/jetty-realm.properties and conf/activemq.xml for authentication configuration.

5. Review deployed web applications — check the ActiveMQ webapps/ directory for unexpected JSP files or web applications that may indicate prior compromise via CVE-2016-3088.

6. Monitor for indicators of compromise — look for unexpected outbound connections from ActiveMQ server IPs, high CPU usage (indicating cryptominer deployment), or unfamiliar files in the ActiveMQ directory tree.