top of page
perceptive_background_267k.jpg

CISA flags Apache ActiveMQ flaw as actively exploited in attacks

Published:

17 April 2026 at 09:30:15

Alert date:

17 April 2026 at 10:00:42

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Enterprise Applications, Zero-Day Vulnerabilities, Supply Chain & Dependencies

CISA has warned that attackers are actively exploiting a high-severity vulnerability in Apache ActiveMQ that was recently patched. The vulnerability had gone undetected for 13 years before being discovered and patched earlier this month. The active exploitation prompted CISA to flag this vulnerability as a priority security concern. Organizations using Apache ActiveMQ are urged to apply the available patches immediately to prevent potential compromise.

Technical details

CVE-2026-34197 is a 13-year-old Apache ActiveMQ vulnerability that stems from improper input validation, allowing authenticated threat actors to execute arbitrary code via injection attacks. The vulnerability was discovered by Horizon3 researcher Naveen Sunkavally using the Claude AI assistant. Signs of exploitation can be found by analyzing ActiveMQ broker logs, looking for suspicious broker connections that use the brokerConfig=xbean:http:// query parameter and the internal transport protocol VM. Over 7,500 Apache ActiveMQ servers are currently exposed online.

Mitigation steps:

Apply mitigations per vendor instructions and patch ActiveMQ servers to versions 6.2.3 or 5.19.4. Federal agencies must patch within two weeks by April 30 as mandated by BOD 22-01. Private sector organizations should prioritize patching. Monitor ActiveMQ broker logs for suspicious connections using brokerConfig=xbean:http:// query parameter and internal transport protocol VM. Follow applicable BOD 22-01 guidance for cloud services or discontinue use if mitigations are unavailable.

Affected products:

Apache ActiveMQ Classic versions 6.2.3 and 5.19.4 (patched versions)
Apache ActiveMQ (unpatched versions prior to these)

Related links:

http://nvd.nist.gov/vuln/detail/CVE-2026-34197
https://www.bleepingcomputer.com/news/security/13-year-old-bug-in-activemq-lets-hackers-remotely-execute-commands/
https://horizon3.ai/attack-research/disclosures/cve-2026-34197-activemq-rce-jolokia/
http://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=activemq&group_by=geo&style=stacked
https://www.cisa.gov/news-events/alerts/2026/04/16/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-34197
https://www.cisa.gov/binding-operational-directive-22-01
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=ActiveMQ&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=
https://nvd.nist.gov/vuln/detail/CVE-2023-46604
https://nvd.nist.gov/vuln/detail/CVE-2016-3088
https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-joins-apache-activemq-rce-attacks/

Related CVE's:

Related threat actors:

IOC's:

brokerConfig=xbean:http:// query parameter in broker connections, suspicious broker connections using internal transport protocol VM

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page