According to the US Cybersecurity and Infrastructure Security Agency (CISA), a recently disclosed high-severity security flaw in Apache ActiveMQ Classic is being exploited in the wild.
To that end, the agency is adding this vulnerability, tracked as CVE-2026-34197 (CVSS score: 8.8), to its Known Exploited Vulnerabilities (KEV) catalog and requiring Federal Civilian Executive Branch (FCEB) agencies to apply a fix by April 30, 2026.
CVE-2026-34197 is described as a case of improper input validation that can lead to code injection, allowing an attacker to execute arbitrary code on a susceptible installation. According to Naveen Sunkavally of Horizon3.ai, CVE-2026-34197 has been “hiding in obscurity” for 13 years.
“An attacker can invoke management operations through ActiveMQ’s Jolokia API to trick the broker into retrieving remote configuration files and executing arbitrary OS commands,” Sunkavally added.
“This vulnerability requires credentials, but the default credentials (admin:admin) are common in many environments. Some versions (6.0.0 – 6.1.1) do not require credentials at all due to another vulnerability CVE-2024-32114 that incorrectly exposes the Jolokia API without authentication. In these versions, CVE-2026-34197 is effectively an unauthenticated RCE.”
This vulnerability affects the following versions:
Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) Apache ActiveMQ Broker before 5.19.4 (org.apache.activemq:activemq-broker) 6.0.0 Apache ActiveMQ before 6.2.3 (org.apache.activemq:activemq-all) Apache ActiveMQ before 5.19.4 (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3
We recommend upgrading to version 5.19.4 or 6.2.3, which resolves this issue. Although details about how CVE-2026-34197 is being exploited in the wild are currently unknown, SAFE Security revealed in a report published this week that threat actors are actively targeting Jolokia management endpoints exposed in Apache ActiveMQ Classic deployments.
This finding once again shows that exploitation schedules continue to break down, as attackers attack newly disclosed vulnerabilities at an alarming rate and penetrate systems before they can be patched.
Apache ActiveMQ is a common attack target, with flaws in the open-source message broker repeatedly exploited in various malware campaigns since 2021. In August 2025, a critical vulnerability in ActiveMQ (CVE-2023-46604, CVSS score: 10.0) was weaponized by an unknown attacker to drop Linux malware called DripDropper.
“Given ActiveMQ’s role in enterprise messaging and data pipelines, exposing management interfaces poses a high-impact risk, potentially enabling data leaks, service interruptions, and lateral movement,” SAFE Security said. “Organizations should audit all deployments of externally accessible Jolokia endpoints, restrict access to trusted networks, enforce strong authentication, and disable Jolokia when not required.”
Source link
