Skip to content
ProtocolPorts

Port reference

Port 8161 (TCP) – Apache ActiveMQ web console

Default port for the Apache ActiveMQ web console (Jetty), the HTTP admin and Jolokia management interface for the broker.

tcpRegisteredCommonly attacked

Default state

ActiveMQ ships the web console with default admin/admin credentials. If 8161 is exposed, attackers gain broker administration and management API access.

Common attacks

  • Login with default admin/admin web console credentials
  • Broker administration and queue manipulation via the console
  • Abuse of the Jolokia/management API for configuration changes
  • Pivot to the OpenWire broker on 61616 (e.g. CVE-2023-46604 RCE)

CVE-2023-46604

Hardening

  • Change the default admin/admin credentials immediately
  • Bind the console to localhost or a private interface; firewall 8161
  • Restrict or disable the Jolokia management API where unused
  • Put the console behind a reverse proxy with authentication and TLS
  • Patch ActiveMQ promptly (notably for CVE-2023-46604)

nmap snippet

nmap -p8161 --script http-title <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 8161?

Port 8161 is the default for the Apache ActiveMQ web console, a Jetty-hosted HTTP administration interface for the message broker. Operators use it to manage queues and topics, view connections, and send test messages, and it also exposes a Jolokia/management API. The broker's wire protocol, OpenWire, runs separately on 61616.

Why it matters for security

The console grants full broker administration, so exposing 8161 hands over control of the messaging backbone. ActiveMQ ships it with default admin/admin credentials, and an exposed console almost always indicates the host is also running the OpenWire broker on 61616 — which was hit by the unauthenticated RCE CVE-2023-46604.

How it's attacked

Attackers reach 8161 and try default admin/admin to log in, then manipulate queues, read messages, and change configuration via the console and Jolokia API. Discovery of 8161 is also a strong signal to pivot to 61616 and attempt CVE-2023-46604 for unauthenticated remote code execution on the broker host.

Hardening checklist

Change the default admin/admin credentials immediately. Bind the console to localhost or a private interface and firewall 8161. Restrict or disable the Jolokia management API where unused, and place the console behind a reverse proxy with authentication and TLS. Patch ActiveMQ promptly, notably for CVE-2023-46604. Use the nmap snippet above to check exposure on hosts you are authorized to test.

Related ports

Port 61616Port 61613Port 5672Port 5671

Frequently asked questions

What are the default ActiveMQ web console credentials?
Apache ActiveMQ ships the web console with admin/admin. If 8161 is exposed and the password is unchanged, an attacker gets full broker administration. Change credentials and firewall the port.
Is the ActiveMQ console related to CVE-2023-46604?
CVE-2023-46604 is an unauthenticated RCE in the OpenWire protocol on 61616, not the console itself. But an exposed 8161 signals an ActiveMQ host that is likely also exposing the vulnerable 61616.