A lately disclosed high-severity security flaw in Apache ActiveMQ Basic has come below lively exploitation within the wild, per the U.S. Cybersecurity and Infrastructure Safety Company (CISA).
To that finish, the company has added the vulnerability, tracked as CVE-2026-34197 (CVSS rating: 8.8), to its Identified Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Government Department (FCEB) businesses to use the fixes by April 30, 2026.
CVE-2026-34197 has been described as a case of improper enter validation that might result in code injection, successfully permitting an attacker to execute arbitrary code on vulnerable installations. In accordance to Horizon3.ai’s Naveen Sunkavally, CVE-2026-34197 has been “hiding in plain sight” for 13 years.
“An attacker can invoke a administration operation by way of ActiveMQ’s Jolokia API to trick the dealer into fetching a distant configuration file and working arbitrary OS instructions,” Sunkavally added.
“The vulnerability requires credentials, however default credentials (admin:admin) are frequent in lots of environments. On some variations (6.0.0–6.1.1), no credentials are required at all as a result of one other vulnerability, CVE-2024-32114, which inadvertently exposes the Jolokia API with out authentication. In these variations, CVE-2026-34197 is successfully an unauthenticated RCE.”
The vulnerability impacts the next variations –
- Apache ActiveMQ Dealer (org.apache.activemq:activemq-broker) earlier than 5.19.4
- Apache ActiveMQ Dealer (org.apache.activemq:activemq-broker) 6.0.0 earlier than 6.2.3
- Apache ActiveMQ (org.apache.activemq:activemq-all) earlier than 5.19.4
- Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 earlier than 6.2.3
Customers are suggested to improve to model 5.19.4 or 6.2.3, which addresses the difficulty. There are at the moment no particulars on how CVE-2026-34197 is being exploited within the wild, however SAFE Safety, in a report revealed this week, revealed that risk actors are actively focusing on uncovered Jolokia administration endpoints in Apache ActiveMQ Basic deployments.
The findings as soon as once more reveal that exploitation timelines proceed to break down as attackers pounce upon newly disclosed vulnerabilities at an alarmingly sooner price and breach techniques earlier than they are often patched.
Apache ActiveMQ is a preferred goal for assault, with flaws within the open-source message dealer repeatedly exploited in varied malware campaigns since 2021. In August 2025, a essential vulnerability in ActiveMQ (CVE-2023-46604, CVSS rating: 10.0) was weaponized by unknown actors to drop a Linux malware known as DripDropper.
“Given ActiveMQ’s position in enterprise messaging and knowledge pipelines, uncovered administration interfaces current a high-impact threat, doubtlessly enabling knowledge exfiltration, service disruption, or lateral motion,” SAFE Safety stated. “Organizations ought to audit all deployments for externally accessible Jolokia endpoints, prohibit entry to trusted networks, implement sturdy authentication, and disable Jolokia the place it isn’t required.”
