Port 61613 (TCP) – STOMP (ActiveMQ)

What runs on port 61613?

Port 61613 is the default for STOMP, the Simple Text Oriented Messaging Protocol, a human-readable framing commonly enabled on Apache ActiveMQ brokers. Clients connect over a simple text protocol to subscribe to and send messages on destinations (queues and topics), making it easy to integrate across languages. The TLS variant typically runs on 61614, and ActiveMQ's main wire protocol, OpenWire, on 61616.

Why it matters for security

STOMP gives direct access to the broker's messages, so an exposed 61613 lets attackers read and inject traffic that drives applications. ActiveMQ may accept default admin/admin credentials or anonymous connections, and plaintext STOMP is unencrypted. An open 61613 also signals an ActiveMQ host likely exposing the OpenWire broker on 61616, target of RCE CVE-2023-46604.

How it's attacked

Attackers connect over STOMP and try default credentials, then subscribe to destinations to read message traffic and send messages into application destinations to influence services. Discovery of 61613 also prompts a pivot to 61616 to attempt CVE-2023-46604 for unauthenticated remote code execution.

Hardening checklist

Change default admin/admin credentials and disable anonymous access. Disable the STOMP connector if it is not required, and use STOMP over TLS (commonly 61614) instead of plaintext 61613. Bind to a private interface and firewall 61613 to trusted hosts, apply per-user destination authorization, and keep ActiveMQ patched. Use the nmap snippet above to check exposure on hosts you are authorized to test.