logo

Port 1099 – Java RMI (Remote Method Invocation)

Service:

rmiregistry

Protocol:

TCP

Port:

1099

Used for:

Java object serialization and remote method execution

Why It’s Open

Used by Java applications for distributed object communication. Often seen in legacy enterprise applications and middleware.

Common Risks

  • Remote Code Execution: Deserialization vulnerabilities are rampant.
  • Unauthenticated Access: Open RMI can allow dangerous introspection or control.
  • Insecure Class Loading: Attackers can trick the JVM into loading remote classes.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Nmap check

Terminal window
nmap -p 1099 -sV
nmap -p 1099 --script rmi-dumpregistry


rmi-client  1099

What to Look For

CheckpointWhat it means
Anonymous registryMay allow data leakage or control
Legacy Java versionsHigh risk of RCE

Known Exploits

  1. CVE-2017-12149 In JBoss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization, allowing an attacker to execute arbitrary code via crafted serialized data. 🔗 NVD Entry

Mitigation

  • Avoid exposing RMI externally.
  • Use a security manager and codebase restrictions.
  • Update JVM and libraries to prevent deserialization bugs.

Real-World Example

RMI vulnerabilities were exploited in several high-profile Java deserialization RCE attacks - including in Jenkins, WebLogic, and custom apps.

TL;DR

  • Service: Java RMI (Remote Method Invocation)
  • Default Port: 1099
  • Risks: Deserialization vulnerabilities leading to RCE
  • Mitigation: Update Java applications, restrict RMI access