A vulnerability in the distributed mode of Apache JMeter could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
The vulnerability is due to the use of untrusted data deserialization. An attacker could exploit this vulnerability by establishing a Remote Method Invocation (RMI)
connection with a jmeter-server while using the RemotejMeterEngine interface. A successful exploit could allow the attacker to execute arbitrary code on a targeted system.
Apache.org has confirmed this vulnerability and updates are available.
Security Impact Rating: Critical