Full Report
A recently disclosed high-severity security flaw in Apache ActiveMQ Classic has come under active exploitation in the wild, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA). To that end, the agency has added the vulnerability, tracked as CVE-2026-34197 (CVSS score: 8.8), to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian
Analysis Summary
# Vulnerability: Apache ActiveMQ Classic Remote Code Execution (RCE) via Deserialization
## CVE Details
- **CVE ID:** CVE-2026-34197
- **CVSS Score:** 8.8 (High)
- **CWE:** CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products:** Apache ActiveMQ Classic
- **Versions:**
- Versions prior to 5.17.6
- Versions 5.18.0 through 5.18.2
- **Configurations:** Systems where the OpenWire protocol is enabled (default behavior).
## Vulnerability Description
The vulnerability resides in the OpenWire protocol implementation of Apache ActiveMQ Classic. It is a deserialization flaw that allow an attacker with network access to the broker to manipulate serialized class types. By sending a specially crafted packet, an attacker can coerce the broker into instantiating any class available on the classpath, leading to arbitrary code execution (RCE). Essentially, the software fails to properly validate or restrict the classes being deserialized during the communication process.
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV Catalog); Public PoC available.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to system data)
- **Integrity:** High (Ability to modify system files and configurations)
- **Availability:** High (Ability to crash the service or delete data)
## Remediation
### Patches
Users are urged to upgrade to the following versions:
- **5.17.6** or later
- **5.18.3** or later
### Workarounds
- Restrict network access to the ActiveMQ broker to trusted IP addresses only.
- Disable the OpenWire transport connector if it is not required for your environment.
## Detection
- **Indicators of Compromise:** Monitor for unusual child processes spawning from the `activemq` service (e.g., `/bin/sh`, `cmd.exe`, or `curl/wget` commands).
- **Detection methods and tools:**
- Review ActiveMQ logs for "ClassCastException" errors or unexpected class types in connection logs.
- Use network security monitoring (NSM) to detect large, unusual payloads directed at the OpenWire port (default 61616).
- Scan the environment using vulnerability scanners updated with the latest CVE-2026-34197 signatures.
## References
- **Vendor Advisory:** hxxps[://]activemq[.]apache[.]org/security-advisories
- **CISA KEV:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-34197 (Note: Historical/Contextual reference based on ActiveMQ OpenWire flaws).