Cyber Resilience

CVE-2016-3088

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 01 June 2016

Published
01 June 2016
Modified
21 April 2026
KEV Added
10 February 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9428 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-3088 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Apache Activemq. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability CVE-2016-3088 is an unrestricted file upload flaw (CWE-434) in the Fileserver web application component of Apache ActiveMQ 5.x releases prior to 5.14.0. It enables remote attackers to place arbitrary files on the server by issuing an HTTP PUT request followed by an HTTP MOVE request. The flaw received a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.

Unauthenticated attackers with network access to the ActiveMQ Fileserver endpoint can exploit the issue to upload executable content and subsequently invoke it, resulting in full control over confidentiality, integrity, and availability of the affected broker and host system.

Public advisories, including the Apache ActiveMQ security announcement and the corresponding Red Hat erratum, direct users to upgrade to version 5.14.0 or later to eliminate the vulnerable Fileserver behavior. Additional vendor tracking entries from SecurityTracker and Zero Day Initiative reference the same remediation path.

EU & UK References

Vulnerability details

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

CWE(s)
KEV Date Added
10 February 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
activemq
5.0.0 — 5.14.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authorization checks on the ActiveMQ Fileserver endpoint so that unauthenticated PUT and MOVE requests are rejected before arbitrary files can be uploaded or executed.

prevent

Requires validation of all input (including file names, content types, and destinations) to block the unrestricted file-upload sequence that defines CVE-2016-3088.

prevent

Disables or removes the vulnerable Fileserver web application component entirely, eliminating the attack surface that the PUT/MOVE flaw exploits.

References