Full Report
Bug hiding in plain sight for over a decade lands on KEV list CISA is sounding the alarm on a newly-exploited Apache ActiveMQ bug, ordering federal agencies to patch within two weeks as attackers circle a flaw that's been quietly lurking for more than a decade.…
Analysis Summary
# Vulnerability: Apache ActiveMQ Jolokia Remote Code Execution (RCE)
## CVE Details
- **CVE ID:** CVE-2026-34197
- **CVSS Score:** 8.8 (High) / 9.8 (Critical) in unauthenticated chains.
- **CWE:** CWE-94 (Improper Control of Generation of Code) / CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products:** Apache ActiveMQ "Classic"
- **Versions:** Versions prior to 5.18.6 (Legacy), 5.19.5, and 6.2.3.
- **Configurations:** Systems with the Jolokia management API enabled (standard in many default installations) and systems using default credentials (e.g., `admin:admin`).
- *Note:* Versions 6.0.0 through 6.1.1 are particularly vulnerable as they can be chained with CVE-2024-32114 to bypass authentication.
## Vulnerability Description
CVE-2026-34197 is a remote code execution vulnerability residing in the Jolokia management API component of Apache ActiveMQ. The flaw allows an authenticated attacker to invoke specific management operations that trick the message broker into fetching a malicious remote configuration file. Once the broker processes this external configuration, it can be leveraged to execute arbitrary Operating System (OS) commands. The vulnerability has reportedly existed in the codebase for approximately 13 years.
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV list as of April 2026).
- **Complexity:** Low (Trivial if default credentials are used).
- **Attack Vector:** Network.
- **PoC Available:** Yes (Public research published by Horizon3.ai).
## Impact
- **Confidentiality:** High (Full access to system data).
- **Integrity:** High (Ability to modify system files and configurations).
- **Availability:** High (Ability to crash the service or seize control of the host).
## Remediation
### Patches
Update to the following versions or newer:
- **Apache ActiveMQ 5.19.5**
- **Apache ActiveMQ 6.2.3**
### Workarounds
- Change default administrative credentials immediately.
- Disable the Jolokia API if it is not required for operations.
- Restrict access to the ActiveMQ web console (typically port 8161) using firewall rules or ACLs to allow only trusted IP addresses.
## Detection
- **Indicators of Compromise:** Monitor for unusual outbound network connections from the ActiveMQ broker to unknown external IP addresses (indicative of fetching remote config files). Check logs for unauthorized access to the `/api/jolokia/` endpoint.
- **Detection Methods:** Vulnerability scanners (Nessus, Qualys) updated with CVE-2026-34197 signatures. Reviewing `admin.log` and `audit.log` for suspicious MBean operations.
## References
- **Vendor Advisory:** hxxps[://]activemq[.]apache[.]org/security-advisories
- **Horizon3 Research:** hxxps[://]horizon3[.]ai/attack-research/disclosures/cve-2026-34197-activemq-rce-jolokia/
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **ShadowServer Statistics:** hxxps[://]dashboard[.]shadowserver[.]org/statistics/combined/time-series/?source=activemq