Prevent anauthorized access to /system/console | Community
Skip to main content
A
anasustic
Level 6
June 10, 2026
Question

Prevent anauthorized access to /system/console

  • June 10, 2026
  • 2 replies
  • 22 views

There appears to be a short window during system startup where the OSGi Management Console (/system/console) can be accessed using default or static credentials (e.g., admin:admin).
This window can allow unauthorized users with network access to gain admin rights if they know or guess the password, before the usual authentication/authorization mechanisms and custom user configs are fully in place.
What are best practices to completely prevent unauthorized access to /system/console during (and after) startup?

2 replies

avesh_narang
avesh_narang
Level 4
June 10, 2026

Hi ​@anasustic ,

The best approach is to limit network access not exposing it publicly while AEM is starting and change the admin password right after you log in. 

 

Thanks 

    A
    anasusticAuthor
    Level 6
    June 11, 2026

    Hi ​@avesh_narang 

    The AEM Security Checklist https://experienceleague.adobe.com/en/docs/experience-manager-65/content/security/security-checklist suggests to To change the OSGi web console admin password
    What is the difference between the admin password and the admin password for the OSGi Web console?

    Thanks.

     

    G
    GR_Swaminathan
    Level 1
    June 11, 2026

    Hi ​@anasustic 


    These are two different credentials.

    admin password: stored in the JCR repository, governs access to the AEM UI, CRXDE, and all Sling-authenticated requests. 

    OSGi Web Console password: stored as an OSGi config (Apache Felix OSGi Management Console), governs access to /system/console. Active even during JCR startup/shutdown or repository failures.

    Hope this helps.

    Terms & ConditionsAccessibility statement

    Loading footer...