Researcher: Jolokia misconfiguration exposes ~7,000 Apache ActiveMQ instances to RCE

Alexander Leonov, a vulnerability management researcher, wrote on May 14 that Apache ActiveMQ deployments exposed through Jolokia remain broadly reachable on the public internet and vulnerable to remote code execution in some configurations. Apache’s advisory for CVE-2026-34197 says the flaw sits in ActiveMQ Classic’s Jolokia JMX-HTTP bridge and can let an authenticated attacker execute code on the broker’s Java virtual machine by invoking management operations with a crafted discovery URI. (avleonov.com) CISA added the bug to its Known Exploited Vulnerabilities catalog on April 16, citing evidence of active exploitation. Leonov said exploitation in the wild was observed on April 13 and cited Shadowserver data showing about 7,000 exposed servers as of May 14. (cisa.gov) ### How does the Jolokia path lead to code execution? Apache said CVE-2026-34197 affects ActiveMQ Classic because the broker exposes the Jolokia bridge at `/api/jolokia/` on the web console. The default Jolokia access policy permits `exec` operations on ActiveMQ MBeans, including `BrokerService.addNetworkConnector(String)` and `BrokerService.addConnector(String)`, according to Apache’s advisory. Naveen Sunkavally of Horizon3.ai wrote on April 7 that an attacker can use those management operations to make the broker fetch a remote Spring XML application context and run arbitrary operating-system commands. Apache’s advisory says the code execution occurs before BrokerService validates the configuration because Spring instantiates singleton beans first. (avleonov.com) ### Which ActiveMQ versions are in scope? Apache’s advisory says the issue affects ActiveMQ Broker and ActiveMQ packages before version 5.19.4 and from 6.0.0 before 6.2.3. The same advisory recommends upgrading to 5.19.4 or 6.2.3. Horizon3.ai said patched versions are 5.19.6 and 6.2.5, and Leonov repeated that discrepancy in his May 14 post, saying it is better to install the newer releases. (activemq.apache.org) That is Leonov’s characterization of the version gap, based on Apache’s bulletin and Horizon3.ai’s write-up. ### Why did researchers say some systems may not need credentials to be attacked? (horizon3.ai) Horizon3.ai said CVE-2026-34197 normally requires credentials, but default credentials such as `admin:admin` are common in many environments. The firm added that ActiveMQ Classic versions 6.0.0 through 6.1.1 can expose the Jolokia API without authentication because of CVE-2024-32114, making CVE-2026-34197 “effectively an unauthenticated RCE” on those systems. (activemq.apache.org) Leonov made the same point in his May 14 post. Apache’s security page lists CVE-2024-32114 as a separate issue in which Jolokia and the REST API were not secured with the default configuration. That means exposure depends not only on the new CVE but also on which ActiveMQ Classic branch is running and how the management interface is configured. (avleonov.com) ### Where does the 7,000-server figure come from? Leonov said The Shadowserver Foundation’s data showed about 7,000 vulnerable Apache ActiveMQ servers exposed on the internet as of May 14. Shadowserver’s public description of its Accessible ActiveMQ Service Report says it tags systems for CVE-2026-34197 using version-based checks and added that tagging on April 17. (horizon3.ai) Shadowserver said its scan identifies accessible Apache ActiveMQ servers on port 61616/TCP by sending an OpenWire “hello” and checking for a BrokerInfo response, and that it does not perform intrusive checks. The group said organizations receiving reports tagged for CVE-2026-34197 should investigate for compromise and patch. (activemq.apache.org) ### What has happened since the first disclosure? CISA said on April 16 that it added CVE-2026-34197 to the KEV catalog based on evidence of active exploitation. Apache’s ActiveMQ Classic security page now also lists CVE-2026-40466, described as a possible bypass of the fix for CVE-2026-34197 via an HTTP discovery second-stage URI, alongside CVE-2026-41044, another Jolokia-related RCE issue. (avleonov.com) Apache’s advisory page remains the primary vendor source for affected versions and remediation, while CISA’s KEV entry remains the clearest public signal that exploitation has moved beyond proof-of-concept code. Shadowserver said its report tagging for CVE-2026-34197 began on April 17, and Leonov’s latest count was dated May 14. (shadowserver.org) (activemq.apache.org) (cisa.gov)