top of page
perceptive_background_267k.jpg

Actively exploited Apache ActiveMQ flaw impacts 6,400 servers

Published:

21 April 2026 at 11:17:51

Alert date:

21 April 2026 at 12:01:48

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Enterprise Applications, Zero-Day Vulnerabilities

Over 6,400 Apache ActiveMQ servers exposed online are vulnerable to ongoing attacks exploiting a high-severity code injection vulnerability. The nonprofit security organization Shadowserver discovered this widespread exposure. The vulnerability is being actively exploited in the wild, making it a critical security concern for organizations running ActiveMQ servers. This represents a significant threat to enterprise messaging infrastructure.

Technical details

CVE-2026-34197 is a high-severity code injection vulnerability in Apache ActiveMQ that stems from an improper input validation weakness. The vulnerability enables authenticated threat actors to execute arbitrary code on unpatched systems. It remained undetected for 13 years before being discovered by Horizon3 researcher Naveen Sunkavally using Claude AI assistant. Over 6,400 Apache ActiveMQ servers exposed online are vulnerable, with most located in Asia (2,925), North America (1,409), and Europe (1,334).

Mitigation steps:

Update Apache ActiveMQ Classic to versions 6.2.3 and 5.19.4 or later. Apply mitigations per vendor instructions. Search ActiveMQ broker logs for signs of exploitation by looking for suspicious broker connections using internal transport protocol VM and brokerConfig=xbean:http:// query parameter. Follow applicable BOD 22-01 guidance for cloud services or discontinue use if mitigations are unavailable. Federal agencies must secure servers by April 30.

Affected products:

Apache ActiveMQ Classic versions prior to 6.2.3
Apache ActiveMQ Classic versions prior to 5.19.4

Related links:

http://nvd.nist.gov/vuln/detail/CVE-2026-34197
https://horizon3.ai/attack-research/disclosures/cve-2026-34197-activemq-rce-jolokia/
http://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=other_range&d1=2026-04-17&d2=2026-04-20&source=activemq&tag=cve-2026-34197%2B&dataset=unique_ips&group_by=geo&stacking=stacked&auto_update=on
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-34197
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=ActiveMQ&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=
https://nvd.nist.gov/vuln/detail/CVE-2016-3088
https://nvd.nist.gov/vuln/detail/CVE-2023-46604

Related CVE's:

Related threat actors:

IOC's:

suspicious broker connections that use the internal transport protocol VM, brokerConfig=xbean:http:// query parameter in ActiveMQ broker logs

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page