The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-56518

CVE-2024-56518: Hazelcast Management Center RCE Vulnerability

CVE-2024-56518 is a remote code execution vulnerability in Hazelcast Management Center through version 6.0 exploitable via malicious JNDI configuration. This article covers technical details, affected versions, and mitigation.

Published: April 8, 2026

CVE-2024-56518 Overview

CVE-2024-56518 is a critical Remote Code Execution (RCE) vulnerability affecting Hazelcast Management Center through version 6.0. The vulnerability allows attackers to execute arbitrary code remotely by exploiting a JNDI injection flaw in the JndiLoginModule component. An attacker can craft a malicious hazelcast-client XML configuration file containing a manipulated user.provider.url parameter and upload it through the /cluster-connections URI endpoint.

Critical Impact

This vulnerability enables unauthenticated remote attackers to achieve full system compromise through JNDI injection, potentially leading to complete takeover of affected Hazelcast Management Center installations.

Affected Products

  • Hazelcast Management Center through version 6.0
  • Hazelcast Management Center 6.0-snapshot and earlier releases
  • All deployments exposing the /cluster-connections endpoint

Discovery Timeline

  • 2025-04-17 - CVE-2024-56518 published to NVD
  • 2025-07-07 - Last updated in NVD database

Technical Details for CVE-2024-56518

Vulnerability Analysis

This vulnerability is classified as a Code Injection flaw (CWE-94) that leverages JNDI (Java Naming and Directory Interface) injection to achieve remote code execution. The attack exploits the client configuration file upload functionality in Hazelcast Management Center, specifically targeting how the application processes the JndiLoginModule authentication module.

When a user uploads a hazelcast-client XML document through the /cluster-connections endpoint, the Management Center parses and processes the configuration without adequate validation of the user.provider.url parameter. An attacker can specify a malicious JNDI URL (such as ldap:// or rmi://) pointing to an attacker-controlled server, triggering the classic JNDI injection attack pattern similar to the Log4Shell vulnerability.

The vulnerability is particularly dangerous because it requires no prior authentication and can be exploited over the network, making it accessible to any attacker who can reach the Management Center web interface.

Root Cause

The root cause of this vulnerability lies in insufficient input validation and sanitization of the user.provider.url parameter within the JndiLoginModule configuration. The application fails to restrict the types of JNDI URLs that can be specified, allowing attackers to provide arbitrary JNDI lookup URLs. When the Management Center attempts to establish a connection using the uploaded configuration, it performs a JNDI lookup to the attacker-specified URL, which can return a malicious Java object that gets deserialized and executed on the target system.

Attack Vector

The attack is network-based and can be executed without any user interaction or prior authentication. An attacker needs to:

  1. Craft a malicious hazelcast-client XML configuration file containing a JndiLoginModule section with a weaponized user.provider.url parameter
  2. Set up a malicious LDAP or RMI server to serve a gadget chain payload
  3. Upload the malicious XML file to the target's /cluster-connections endpoint
  4. The vulnerable application processes the configuration and performs a JNDI lookup to the attacker's server
  5. The malicious server returns a serialized Java object that executes arbitrary code when deserialized

The exploitation mechanism follows the well-documented JNDI injection attack pattern. Technical details and proof-of-concept information can be found in the GitHub Gist reference associated with this vulnerability.

Detection Methods for CVE-2024-56518

Indicators of Compromise

  • Unexpected HTTP POST requests to the /cluster-connections endpoint from external or untrusted IP addresses
  • XML file uploads containing suspicious JndiLoginModule configurations with external JNDI URLs
  • Outbound connections from Hazelcast Management Center to unexpected LDAP, RMI, or DNS servers
  • Unusual Java process spawning or command execution originating from the Management Center process
  • Log entries showing JNDI lookup failures or connections to non-organizational LDAP/RMI endpoints

Detection Strategies

  • Deploy web application firewall (WAF) rules to inspect and block XML payloads containing malicious JNDI URL patterns such as ldap://, rmi://, or dns:// in uploaded files
  • Implement network monitoring to detect outbound connections from Hazelcast Management Center to unexpected external LDAP or RMI servers
  • Enable verbose logging on the Management Center and monitor for JNDI-related errors or unusual authentication module activity
  • Use endpoint detection and response (EDR) solutions to monitor for suspicious child processes spawned by Java applications

Monitoring Recommendations

  • Monitor HTTP traffic to the /cluster-connections endpoint for unusual file upload activity, particularly XML files with suspicious content
  • Implement egress filtering and alerting for outbound LDAP (port 389/636) and RMI (port 1099) connections from Management Center hosts
  • Set up alerts for any new or modified cluster connection configurations in production environments
  • Review authentication logs regularly for failed or unusual JNDI authentication attempts

How to Mitigate CVE-2024-56518

Immediate Actions Required

  • Restrict network access to the Hazelcast Management Center /cluster-connections endpoint using firewall rules or reverse proxy configurations
  • Implement authentication and authorization controls to limit who can upload cluster configuration files
  • Consider temporarily disabling the cluster connections upload functionality until a patch is applied
  • Audit existing cluster connection configurations for any suspicious or unauthorized entries
  • Place Hazelcast Management Center behind a VPN or corporate network boundary to limit external exposure

Patch Information

Organizations should consult the Hazelcast Installation Guide for the latest version information and upgrade instructions. Monitor Hazelcast's official security advisories for patch releases addressing this vulnerability. Upgrade to a patched version of Hazelcast Management Center as soon as one becomes available.

Workarounds

  • Implement strict network segmentation to ensure Hazelcast Management Center is not directly accessible from untrusted networks
  • Configure a reverse proxy or web application firewall to block requests to the /cluster-connections endpoint from unauthorized sources
  • Disable outbound LDAP and RMI connections from Management Center hosts at the network level to prevent JNDI callback exploitation
  • Apply Java Virtual Machine (JVM) flags to restrict JNDI lookups, such as setting com.sun.jndi.ldap.object.trustURLCodebase=false
bash
# JVM configuration to mitigate JNDI injection attacks
# Add these flags to your Hazelcast Management Center startup script
export JAVA_OPTS="$JAVA_OPTS -Dcom.sun.jndi.ldap.object.trustURLCodebase=false"
export JAVA_OPTS="$JAVA_OPTS -Dcom.sun.jndi.rmi.object.trustURLCodebase=false"
export JAVA_OPTS="$JAVA_OPTS -Dcom.sun.jndi.cosnaming.object.trustURLCodebase=false"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechHazelcast
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability2.05%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-94
  • Technical References
  • Hazelcast Installation Guide
  • GitHub Gist Code Snippet
  • Related CVEs
  • CVE-2023-45859: Hazelcast Auth Bypass Vulnerability
  • CVE-2022-0265: Hazelcast XXE Vulnerability in Version 5.1
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English