Shadowserver: 6,364 Apache ActiveMQ brokers exposed to Jolokia RCE

Apache ActiveMQ is message-broker software — the kind of plumbing that quietly moves data between apps, services, and internal systems. That makes a broker compromise unusually useful to an attacker. You are not just landing on one box. You are landing on something that often sits in the middle of a lot of trusted traffic. This week, Shadowserver said 6,364 publicly reachable ActiveMQ brokers are still exposed in ways that line up with the Jolokia-based remote-code-execution bug CVE-2026-34197. (shadowserver.org) ### What is the bug, exactly? The flaw is in ActiveMQ Classic’s exposure of the Jolokia JMX-HTTP bridge at `/api/jolokia/`. Jolokia is basically a web wrapper around Java management functions. In vulnerable setups, the default access policy allows `exec` calls on ActiveMQ MBeans, including `BrokerService.addNetworkConnector(String)` (shadowserver.org)ate connections or load attacker-controlled endpoints — which turns a management feature into code execution. (activemq.apache.org) ### Why does “authenticated” still sound bad? Because “authenticated” does not mean “safe.” Many ActiveMQ deployments leave the web console reachable from networks that were assumed to be internal, or they reuse weak credentials, inherited admin access, or flat network trust. Once an attacker has any valid path in, Jolokia gives them a ver(activemq.apache.org)t radius can grow fast. (activemq.apache.org) ### What changed this month? CISA added CVE-2026-34197 to the Known Exploited Vulnerabilities catalog on April 16, 2026, which means there is evidence of active exploitation in the wild. The KEV entry now shows a due date of May 3, 2026 for federal civilian agencies to remediate. That is the signal that moved this from “serious bug” to “actively abused bug with a clock on it.” (cisa.gov) ### Which versions are in the danger zone? Apache lists affected ActiveMQ Classic lines as 6.x before 6.1.7, 6.0.x before 6.0.3, 5.18.x before 5.18.7, 5.17.x before 5.17.8, 5.16.x before 5.16.9, and 5.15.x before 5.15.18. There is also a follow-on issue — CVE-2026-40466 — for a possible bypass of the original fix through an HTTP dis(cisa.gov)ory. (activemq.apache.org) ### Why is Shadowserver’s number a big deal? Because 6,364 exposed brokers is not a theoretical population in a lab. It is a live internet attack surface. Shadowserver’s reporting page for accessible ActiveMQ services explicitly tags events for CVE-2026-34197 as critical and tells recipients to investigate for compromise and patch. In other words, this is not just “please update when convenient.” It is “you may already have a problem.” (shadowserver.org) ### What should defenders do first? Patch to a fixed release, then verify that Jolokia and the web console are not exposed where they do not need to be. Restrict access to trusted sources only, rotate any credentials that may have been exposed or reused, and check for suspicious connectors or network-bridge changes. A broker is a bit(shadowserver.org) ### What is the bottom line? The real story is not just one ActiveMQ bug. It is that management interfaces keep escaping onto the public internet, and attackers keep turning “admin convenience” into execution paths. CVE-2026-34197 matters because ActiveMQ brokers often sit in exactly the wrong place to be casually exposed — deep enough to be trusted, central enough to be valuable. (activemq.apache.org)