{"vulnerability": "cve-2022-41678", "sightings": [{"uuid": "44402745-0cb7-43f2-a69f-6019be5853a3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41678", "type": "seen", "source": "https://t.me/GithubRedTeam/81019", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a ActiveMQ-EXPtools\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a Catherines77\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Java\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-04-20 03:28:09\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u652f\u6301\u68c0\u6d4b\u548c\u5229\u7528ActiveMQ\u6f0f\u6d1e\uff0cCVE-2015-5254\uff0cCVE-2016-3088\uff0cCVE-2022-41678\uff0cCVE-2023-46604\uff0cCVE-2024-32114\uff0cCVE-2026-34197\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-04-20T04:00:04.000000Z"}, {"uuid": "ce1f56e0-085b-49a3-9635-1d4163141d90", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41678", "type": "confirmed", "source": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2022/CVE-2022-41678.yaml", "content": "", "creation_timestamp": "2026-03-31T15:35:48.000000Z"}, {"uuid": "54e73553-277b-43f0-be9f-d7eacc3c5ceb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41678", "type": "seen", "source": "https://bsky.app/profile/ytroncal.bsky.social/post/3lvkqlwckcc2c", "content": "", "creation_timestamp": "2025-08-04T08:10:28.456684Z"}, {"uuid": "920f199d-95f2-4e09-8e31-bf39b682eeef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41678", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-04", "content": "", "creation_timestamp": "2025-09-18T10:00:00.000000Z"}, {"uuid": "9443fa11-039e-45b6-a62e-9fac1ca6a8ee", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41678", "type": "seen", "source": "https://bsky.app/profile/beikokucyber.bsky.social/post/3mihlnmgxcq2d", "content": "", "creation_timestamp": "2026-04-01T21:02:36.591824Z"}, {"uuid": "d0349db6-3553-44de-8802-e72034d68fd1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41678", "type": "seen", "source": "https://t.me/arpsyndicate/1549", "content": "#ExploitObserverAlert\n\nCVE-2022-41678\n\nDESCRIPTION: Exploit Observer has 4 entries related to CVE-2022-41678. Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.\u00a0  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia  org.jolokia.http.HttpRequestHandler", "creation_timestamp": "2023-12-08T11:40:19.000000Z"}, {"uuid": "83f1495c-05d0-4e3a-921e-c21925c2cd8c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41678", "type": "published-proof-of-concept", "source": "Telegram/e-NDV7JUXFjV7ZYm9J_MRokEu-SU9MarRYVSx0rnLWFHt3U", "content": "", "creation_timestamp": "2025-10-14T21:00:05.000000Z"}, {"uuid": "b95ba256-a075-4e6a-ae2d-9d9548352444", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41678", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/55456", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01 \n\n\u66f4\u65b0\u4e86\uff1awebshell\n\u63cf\u8ff0\uff1aCVE-2022-41678 \u662f Apache ActiveMQ \u4e2d\u7684\u4e00\u4e2a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u5141\u8bb8\u653b\u51fb\u8005\u901a\u8fc7 JMX (Java Management Extensions) \u63a5\u53e3\u4fee\u6539 Log4j \u914d\u7f6e\u6216 JFR (Java Flight Recorder) \u914d\u7f6e\uff0c\u4ece\u800c\u5199\u5165\u6076\u610f\u7684 JSP webshell \u5230\u670d\u52a1\u5668\u7684 web \u76ee\u5f55\u4e2d\uff0c\u6700\u7ec8\u5b9e\u73b0\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\nURL\uff1ahttps://github.com/URJACK2025/CVE-2022-41678\n\n\u6807\u7b7e\uff1a#webshell", "creation_timestamp": "2025-10-14T14:25:33.000000Z"}, {"uuid": "3b726e12-62b6-4c1d-bef7-d5c0ba6a1965", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41678", "type": "seen", "source": "https://t.me/arpsyndicate/3243", "content": "#ExploitObserverAlert\n\nCVE-2022-41678\n\nDESCRIPTION: Exploit Observer has 10 entries in 4 file formats related to CVE-2022-41678. Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.\u00a0  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia  org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest.  Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest is able to invoke through refection.  And then, RCE is able to be achieved via jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.  1 Call newRecording.  2 Call setConfiguration. And a webshell data hides in it.  3 Call startRecording.  4 Call copyTo method. The webshell will be written to a .jsp file.  The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.\n\nFIRST-EPSS: 0.001030000\nNVD-IS: 5.9\nNVD-ES: 2.8", "creation_timestamp": "2024-01-28T07:04:53.000000Z"}, {"uuid": "da96429d-e125-4c9c-b6e4-6754ed6d18ae", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41678", "type": "seen", "source": "https://t.me/arpsyndicate/1179", "content": "#ExploitObserverAlert\n\nCVE-2022-41678\n\nDESCRIPTION: Exploit Observer has 4 entries related to CVE-2022-41678. Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.\u00a0  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia  org.jolokia.http.HttpRequestHandler", "creation_timestamp": "2023-12-04T10:25:34.000000Z"}, {"uuid": "08c72833-b82c-458c-bbb0-8f1ce946ea79", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41678", "type": "seen", "source": "https://t.me/ctinow/155663", "content": "https://ift.tt/SQjn9fk\nCVE-2022-41678 | Apache ActiveMQ up to 5.16.5/5.17.3 deserialization", "creation_timestamp": "2023-12-17T20:17:53.000000Z"}, {"uuid": "76ea1afc-e9b7-47cd-b3b5-36a31cb4b797", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41678", "type": "seen", "source": "https://t.me/ctinow/152559", "content": "https://ift.tt/7ejXGkt\nApache ActiveMQ Jolokia Remote Code Execution Vulnerability (CVE-2022-41678) Notification", "creation_timestamp": "2023-11-30T12:31:42.000000Z"}, {"uuid": "c053fb30-7b71-47e3-90e1-71f6aedb7b2b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41678", "type": "seen", "source": "https://t.me/arpsyndicate/1484", "content": "#ExploitObserverAlert\n\nCVE-2022-41678\n\nDESCRIPTION: Exploit Observer has 4 entries related to CVE-2022-41678. Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.\u00a0  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia  org.jolokia.http.HttpRequestHandler", "creation_timestamp": "2023-12-06T12:50:53.000000Z"}, {"uuid": "a8ad0147-d0f7-448e-9b3b-659d809cd3f8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41678", "type": "seen", "source": "https://t.me/arpsyndicate/1642", "content": "#ExploitObserverAlert\n\nCVE-2022-41678\n\nDESCRIPTION: Exploit Observer has 4 entries related to CVE-2022-41678. Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.\u00a0  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia  org.jolokia.http.HttpRequestHandler", "creation_timestamp": "2023-12-10T15:02:59.000000Z"}, {"uuid": "b81858be-10c8-4004-8da5-4c26577ff811", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41678", "type": "seen", "source": "https://t.me/ctinow/186445", "content": "https://ift.tt/kylmIni\nCVE-2022-41678 Apache ActiveMQ Vulnerability in NetApp Products", "creation_timestamp": "2024-02-16T15:31:52.000000Z"}]}