In Apache JMeter 2.X and 3.X, when using Distributed Test only , jmeter server binds RMI Registry to wildcard host. This could allow an attacker to get Access to JMeterEngine and send unauthorized code.