This vulnerability in Apache ActiveMQ allows an authenticated attacker to bypass broker name validation through the admin web console by injecting an xbean binding. This malicious broker name can be referenced by a VM transport to load a remote Spring XML application context. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before configuration validation, the attacker can achieve arbitrary code execution on the broker's JVM via bean factory methods like Runtime.exec(). The issue affects Apache ActiveMQ versions prior to 5.19.6 and from 6.0.0 up to but not including 6.2.5. Upgrading to versions 5.19.6 or 6.2.5 mitigates the vulnerability.

Successful exploitation allows an authenticated attacker to execute arbitrary code on the JVM running the Apache ActiveMQ broker. This can lead to full compromise of the broker service, potentially affecting message handling and system integrity. The vulnerability requires authentication and access to the admin web console, limiting exposure to authorized users or attackers who have gained such access.

Users should upgrade Apache ActiveMQ to version 5.19.6 or 6.2.5 or later, where this vulnerability is fixed. No other official remediation or temporary fixes are documented. Since this is not a cloud service, users must apply the upgrade themselves. Patch status is confirmed by the vendor advisory recommending these versions.