What is the CVSS score of CVE-2016-3088?

CVE-2016-3088 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 94.3%.

Which versions of Apache ActiveMQ are affected by CVE-2016-3088?

Apache ActiveMQ versions before 5.14.0 are subject to confirmed active exploitation enabling unauthenticated remote code execution on message broker infrastructure.. A patch is available.

Is there a public PoC exploit available for CVE-2016-3088?

Yes, a public proof-of-concept exploit is available for CVE-2016-3088. Prioritise patching immediately. EPSS: 94.3%.

How to fix or mitigate CVE-2016-3088?

Within 24 hours: Identify all ActiveMQ deployments running versions 5.x before 5.14.0 and isolate affected systems from untrusted networks. Within 7 days: Apply vendor-released patch to upgrade ActiveMQ to version 5.14.0 or later on all instances. Within 30 days: Conduct forensic review of ActiveMQ access logs and system audit trails for indicators of compromise; verify message queue integrity and re-establish baseline security posture.

Apache ActiveMQ CVE-2016-3088

CRITICAL

Unrestricted Upload of File with Dangerous Type (CWE-434)

2016-06-01 secalert@redhat.com

Apache File Upload

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 21, 2026 - 15:31 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 21, 2026 - 15:22 vuln.today

cvss_changed

Analysis Generated

Mar 26, 2026 - 11:18 vuln.today

Added to CISA KEV

Oct 22, 2025 - 00:15 cisa

CISA KEV

PoC Detected

Oct 22, 2025 - 00:15 vuln.today

Public exploit code

Patch released

Oct 22, 2025 - 00:15 nvd

Patch available

CVE Published

Jun 01, 2016 - 20:59 nvd

CRITICAL 9.8

DescriptionCVE.org

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

AnalysisAI

Remote code execution in Apache ActiveMQ 5.x before 5.14.0 allows unauthenticated attackers to upload and execute arbitrary files on the message broker server by chaining HTTP PUT and MOVE requests against the Fileserver web application. This vulnerability is confirmed actively exploited (CISA KEV) with EPSS score of 94.29%, publicly available exploit code exists, and vendor-released patch is available in ActiveMQ 5.14.0.

Technical ContextAI

Apache ActiveMQ is an open-source message broker implementing JMS (Java Message Service) for enterprise messaging. The vulnerable Fileserver web application component provides file management capabilities over HTTP. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), where the application fails to properly validate file uploads and restrict execution permissions. The attack exploits HTTP PUT to write arbitrary files to the server filesystem, then uses HTTP MOVE to relocate them to executable locations like webapps directories, bypassing typical upload restrictions. The affected CPE cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* confirms this impacts the core ActiveMQ product across all platforms prior to version 5.14.0.

RemediationAI

Upgrade immediately to Apache ActiveMQ 5.14.0 or later, which removes the vulnerable Fileserver web application functionality according to the vendor advisory at http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt and commit thread at https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E. Red Hat customers should apply RHSA-2016-2036 for integrated products. If immediate upgrade is not feasible, disable the Fileserver web application by removing or commenting out the fileserver servlet mapping in the ActiveMQ web.xml configuration file, though this breaks legitimate file transfer functionality. Network segmentation to restrict ActiveMQ admin interface access to trusted management networks provides defense-in-depth but does not eliminate risk if attackers gain internal network access. Do not rely on authentication controls alone as the vulnerability affects unauthenticated endpoints. Given active exploitation and available weaponized exploits, workarounds should be considered temporary emergency measures only pending full upgrade.

CVE-2016-3088 vulnerability details – vuln.today

Back

Apache ActiveMQ CVE-2016-3088

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code