CVE-2016-3088

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT...

Basic Information

CVE State: PUBLISHED
Reserved Date: March 10, 2016
Published Date: June 01, 2016
Last Updated: February 07, 2025
Vendor: Apache Software Foundation
Product: ActiveMQ
Description: The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-05-10 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2020-12-24 07:26:00 UTC) Source

References

http://www.zerodayinitiative.com/advisories/ZDI-16-356 https://www.exploit-db.com/exploits/42283/ http://www.zerodayinitiative.com/advisories/ZDI-16-357 http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt http://rhn.redhat.com/errata/RHSA-2016-2036.html http://www.securitytracker.com/id/1035951 https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E https://lists.apache.org/thread.html/f956ea38e4da2e2c1e7131e6f91e41754852f5a4861d1a14ca5ca78a%40%3Cusers.activemq.apache.org%3E https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

Known Exploited Vulnerability Information

Source	Added Date
CISA	2022-02-10 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/apache_activemq_upload_jsp.rb	2025-04-29 11:01:20 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2016/CVE-2016-3088.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

apache_activemq_upload_jsp

Type: metasploit • Created: Unknown

Metasploit module for CVE-2016-3088

cl4ym0re/CVE-2016-3088

Type: github • Created: 2021-07-03 10:23:59 UTC • Stars: 3

Apache ActiveMQ PUT RCE Scan

vonderchild/CVE-2016-3088

Type: github • Created: 2021-03-12 17:12:09 UTC • Stars: 0

cyberaguiar/CVE-2016-3088

Type: github • Created: 2021-03-11 05:54:34 UTC • Stars: 5

Apache ActiveMQ Remote Code Execution Exploit

pudiding/CVE-2016-3088

Type: github • Created: 2020-12-24 07:26:00 UTC • Stars: 0

Ma1Dong/ActiveMQ_putshell-CVE-2016-3088

Type: github • Created: 2020-07-31 09:06:15 UTC • Stars: 14

ActiveMQ_putshell直接获取webshell

Timeline

CVE ID Reserved

March 10, 2016
CVE Published to Public

June 01, 2016
Proof of Concept Exploit Available

December 24, 2020
Added to KEVIntel

February 10, 2022
Detected by Nuclei

April 26, 2025
Detected by Metasploit

April 29, 2025