Exploiting JMeter via RMI
This is the story of a trivial deserialization exploit in Apache JMeter via Remote Method Invocation (RMI). It still exists, it won’t be fixed, we are likely not the first to find it. Apache has labeled this as a no fix — possibly correctly.