This vulnerability in Apache ActiveMQ arises from improper input validation in the admin web console, permitting an authenticated attacker to inject a malicious broker name containing an xbean binding. This binding can be exploited via the DestinationView mbean to trigger VM transport creation that loads a remote Spring XML application context. Because Spring's ResourceXmlApplicationContext instantiates singleton beans before BrokerService validates configuration, arbitrary code execution can occur through bean factory methods such as Runtime.exec(). The issue affects Apache ActiveMQ versions before 5.19.6 and from 6.0.0 before 6.2.5. The vendor recommends upgrading to versions 5.19.6 or 6.2.5 to remediate the vulnerability.

Successful exploitation allows an authenticated attacker to execute arbitrary code on the broker's JVM, potentially leading to full compromise of the ActiveMQ broker service. The vulnerability impacts confidentiality, integrity, and availability, as indicated by the CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). No known exploits in the wild have been reported at this time.

Users should upgrade Apache ActiveMQ to version 5.19.6 or 6.2.5, where this vulnerability is fixed. Since no official patch links or vendor advisory text is provided, patch status is inferred from the description recommending these versions. No alternative mitigations or temporary fixes are indicated. Until upgraded, restrict access to the admin web console to trusted users only to reduce risk.