Skip to content
ProtocolPorts

Port reference

Port 61616 (TCP) – ActiveMQ OpenWire

Default port for OpenWire, the native binary wire protocol of Apache ActiveMQ used by JMS clients to connect to the broker.

tcpDynamic / privateCommonly attacked

Default state

ActiveMQ binds OpenWire on 61616 by default. Exposed brokers may accept default credentials or anonymous clients and, when unpatched, are vulnerable to the CVE-2023-46604 unauthenticated RCE.

Common attacks

  • Unauthenticated remote code execution via CVE-2023-46604
  • Login with default admin/admin credentials to control the broker
  • Reading and injecting messages on queues and topics
  • Pivot from the web console on 8161 to the broker

CVE-2023-46604

Hardening

  • Patch ActiveMQ to a fixed version to close CVE-2023-46604
  • Bind OpenWire to a private interface and firewall 61616 to trusted hosts
  • Change default admin/admin credentials and disable anonymous access
  • Use OpenWire over TLS (commonly 61617) instead of plaintext 61616
  • Apply per-user destination authorization and audit broker access

nmap snippet

nmap -p61616 --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 61616?

Port 61616 is the default for OpenWire, the native binary wire protocol of Apache ActiveMQ. JMS clients connect over 61616 to publish and consume messages on the broker's queues and topics — it is the broker's primary protocol, distinct from the web console on 8161 and STOMP on 61613. The TLS variant typically runs on 61617.

Why it matters for security

61616 is the heart of an ActiveMQ deployment, so an exposed broker hands attackers the messaging backbone. Critically, unpatched OpenWire is vulnerable to CVE-2023-46604, a critical unauthenticated remote code execution flaw: a crafted packet makes the broker instantiate an attacker-controlled class. Brokers may also accept default admin/admin or anonymous clients.

How it's attacked

Attackers scan for open 61616 and send a crafted OpenWire packet to exploit CVE-2023-46604, gaining unauthenticated RCE on the broker host. Where patched, they try default credentials to control the broker, read and inject messages, and pivot from a discovered web console on 8161 to confirm the target.

Hardening checklist

Patch ActiveMQ to a fixed version to close CVE-2023-46604 — this is the top priority. Bind OpenWire to a private interface and firewall 61616 to trusted hosts. Change default admin/admin credentials and disable anonymous access, use OpenWire over TLS (commonly 61617), apply per-user destination authorization, and audit access. Use the nmap snippet above to check exposure on hosts you are authorized to test.

Related ports

Port 8161Port 61613Port 5672Port 5671

Frequently asked questions

What is CVE-2023-46604?
CVE-2023-46604 is a critical unauthenticated remote code execution flaw in Apache ActiveMQ's OpenWire protocol on 61616. A crafted packet makes the broker instantiate an attacker-controlled class. Patch immediately and firewall the port.
What is OpenWire on port 61616?
OpenWire is ActiveMQ's native binary wire protocol used by JMS clients to connect to the broker on 61616. It carries messages between producers and consumers; the TLS variant typically uses 61617.