Ant Media Server: Local Privilege Escalation via Unauthenticated Localhost JMX
CWE-862
Missing Authorization
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Per GHSA-qwhw-hh9j-54f5: “We have identified a local privilege escalation vulnerability in Ant Media Server which allows any unprivileged operating system user account to escalate privileges to the root user account on the system. This vulnerability arises from Ant Media Server running with Java Management Extensions (JMX) enabled and authentication disabled on localhost on port 5599/TCP. This vulnerability is nearly identical to the local privilege escalation vulnerability CVE-2023-26269 identified in Apache James.”
Affected Packages / Versions
- Package:
ant-media-server(Maven) - Latest published version at triage time:
2.8.2 - Affected range:
Per GHSA-qwhw-hh9j-54f5: ant-media-server >= 2.6.0, < 2.9.0 - Patched version:
Ant Media Server 2.9.0
Impact
Per Praetorian’s blog: “An attacker could then leverage access to the JMX remote management listener to execute code within the context of the ‘antmedia‘ service account and then leverage the account’s sudo privileges to elevate access to root on the system.” Praetorian’s blog confirms exploitation used beanshooter and an MLet-loaded MBean (TonkaBean) to obtain code execution in the antmedia service context before pivoting to root via sudo.
Severity Rationale
GHSA severity: HIGH. NVD CVSS 7.8 (High): local AV, low complexity, low privileges (any local OS user), no UI, full CIA at root.
Fix
Per GHSA: upgrade to Ant Media Server 2.9.0“. Fix commit: 9cb38500729e0ff302da0290b9cfe1ec4dd6c764.
Disclosure timeline
- TBDReported to vendor
- TBDPatch released (Ant Media Server 2.9.0)
- Apr 22, 2024GHSA-qwhw-hh9j-54f5 published / Praetorian disclosure
Fix Commit(s)
References
Discovered by Adam Crosser · Published April 29, 2026