The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday that a high-severity Apache ActiveMQ vulnerability patched earlier this month now faces active exploitation in attacks.
What Makes Apache ActiveMQ Critical
Meanwhile, Apache ActiveMQ remains the most popular open-source Java-based message broker for asynchronous communication between applications, which increases its exposure and risk surface.
Notably, researchers track the flaw as CVE-2026-34197, which stayed undetected for 13 years. Naveen Sunkavally, a researcher at Horizon3, discovered the issue using the Claude AI assistant.
How the Vulnerability Works
Specifically, Sunkavally explained that the vulnerability stems from improper input validation, which allows authenticated threat actors to execute arbitrary code via injection attacks.
Subsequently, Apache maintainers patched the vulnerability on March 30 in ActiveMQ Classic versions 6.2.3 and 5.19.4.
“We recommend organizations running ActiveMQ treat this as a high priority, as ActiveMQ has been a repeated target for real-world attackers, and methods for exploitation and post-exploitation of ActiveMQ are well-known,” Horizon3 warned.
At the same time, the ShadowServer threat monitoring service currently tracks more than 7,500 Apache ActiveMQservers exposed online.
ActiveMQ servers exposed online (Shadowserver)
Then, on Thursday, CISA added CVE-2026-34197 to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch ActiveMQ servers within two weeks, by April 30, as mandated by Binding Operational Directive (BOD) 22-01.
Detection and Mitigation Guidance
Additionally, Horizon3 researchers said that analysts can find signs of exploitation by analyzing ActiveMQ broker logs and recommended looking for suspicious broker connections that use the brokerConfig=xbean:http:// query parameter and the internal transport protocol VM.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the cybersecurity agency warned.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
Furthermore, the agency urged private-sector defenders to prioritize patching for CVE-2026-35616 and to secure their organizations’ networks as soon as possible, even though BOD 22-01 applies only to U.S. federal agencies.
CISA previously tagged two other Apache ActiveMQ vulnerabilities as exploited in the wild, tracked as CVE-2023-46604 and CVE-2016-3088, with the former targeted by the TellYouThePass ransomware gang as a zero-day flaw.
Source: BleepingComputer, Sergiu Gatlan
Read more at Impreza News
