Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2016-3088
PUBLISHEDThe Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT...
- Vendor
- Apache
- Product
- ActiveMQ
- Published
- Jun 01, 2016
- EPSS
- —
Description
The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV:N/AC:L/Au:N/C:P/I:P/A:P
Exploitation status
Exploited in the wild
Recorded 2022-02-10 00:00:00 UTC · Source
SSVC decision points
- Exploitation
- active
- Automatable
- Yes
- Technical impact
- total
References
- http://www.zerodayinitiative.com/advisories/ZDI-16-356
- https://www.exploit-db.com/exploits/42283/
- http://www.zerodayinitiative.com/advisories/ZDI-16-357
- http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt
- http://rhn.redhat.com/errata/RHSA-2016-2036.html
- http://www.securitytracker.com/id/1035951
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E
- https://lists.apache.org/thread.html/f956ea38e4da2e2c1e7131e6f91e41754852f5a4861d1a14ca5ca78a%40%3Cusers.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA | Feb 10, 2022 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_activemq_upload_jsp.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2016/CVE-2016-3088.yaml | Apr 25, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2021-07-03 10:23:59 UTC · 3 stars
Apache ActiveMQ PUT RCE Scan
github · Created 2021-03-12 17:12:09 UTC · 0 stars
github · Created 2021-03-11 05:54:34 UTC · 5 stars
Apache ActiveMQ Remote Code Execution Exploit
github · Created 2020-12-24 07:26:00 UTC · 0 stars
github · Created 2020-07-31 09:06:15 UTC · 14 stars
ActiveMQ_putshell直接获取webshell
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel
-
Detected by Nuclei
-
Detected by Metasploit