ActiveMQ RCE Exploited

Apache ActiveMQ servers are being hacked through CVE-2026-34197, a code-execution flaw that lets an attacker run commands on the broker’s Java process. (activemq.apache.org) Apache said the bug affects ActiveMQ Broker releases before 5.19.4 and versions from 6.0.0 up to, but not including, 6.2.3. The project published fixed releases on March 31, 2026 for 5.19.4 and March 30, 2026 for 6.2.3. (activemq.apache.org 1) (activemq.apache.org 2) ActiveMQ is message-broker software that moves data between applications, like a mailroom passing messages between systems that do not talk directly. In this case, Apache said a crafted discovery address can make the broker load a remote Spring configuration file and execute code through bean factory methods such as `Runtime.exec`. (activemq.apache.org) The flaw is not a theoretical risk. The Cybersecurity and Infrastructure Security Agency said on April 16, 2026 that it added CVE-2026-34197 to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. (cisa.gov) CISA’s catalog entry gives U.S. federal agencies until May 4, 2026 to apply vendor mitigations or stop using the product if mitigations are unavailable. The agency lists the issue as an improper input validation vulnerability in Apache ActiveMQ. (cisa.gov) Rapid7 rated the bug at CVSS 9.0 and said ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at `/api/jolokia/` on the web console. That matters because Jolokia is the HTTP doorway into Java management controls, and exposed management endpoints can turn an application bug into a direct path to server takeover. (rapid7.com) Apache’s advisory says the attack requires an authenticated attacker, which makes credential hygiene part of the response, not just patching. Security teams tracking the incident have also warned administrators to rotate passwords after upgrading in case exposed consoles or reused credentials were already abused. (activemq.apache.org) The version list adds another problem for defenders: several older ActiveMQ lines, including 6.0.x, 6.1.x, 5.18.x, 5.17.x and earlier 5.x branches, are marked deprecated on Apache’s download page. Organizations still running those branches may need a larger upgrade jump rather than a small patch. (activemq.apache.org) Apache has already moved beyond the emergency fixes, releasing ActiveMQ 5.19.5 and 6.2.4 on April 8, 2026 as the latest supported patch levels. For administrators who have not acted yet, the immediate choices are still the same: get onto a fixed supported release, lock down exposed management access, and change credentials. (activemq.apache.org)