ActiveMQ added to CISA KEV

A newly exploited Apache ActiveMQ Classic bug is now on the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities list, putting federal patch deadlines on a widely used message broker. (cisa.gov) CISA added CVE-2026-34197 to the catalog on April 16, 2026, and set an April 30, 2026 due date for federal civilian agencies to apply vendor mitigations or stop using affected products. (cisa.gov) Apache says the flaw affects ActiveMQ Classic before 5.19.4 and versions 6.0.0 through 6.2.2, and it recommends upgrading to 5.19.4 or 6.2.3. (activemq.apache.org) ActiveMQ is software that moves messages between applications, like a mailroom passing requests between systems that do not talk directly. Apache describes it as an open-source, Java-based message broker used across multiple programming languages and platforms. (activemq.apache.org) The vulnerable part is the web console’s Jolokia interface, which turns Java management functions into web requests. Apache and the National Vulnerability Database say an attacker can abuse that interface to make the broker load a remote Spring XML file and execute code inside the Java process. (nvd.nist.gov) Apache classifies the issue as requiring authentication, but Horizon3.ai said default “admin:admin” credentials are still common and that some 6.0.0 through 6.1.1 deployments can be exposed without credentials because of CVE-2024-32114. (activemq.apache.org) (horizon3.ai) Horizon3.ai published its technical write-up on April 7, 2026 and said the bug had been present for 13 years. The firm credited researcher Naveen Sunkavally, and Apache’s advisory lists Sunkavally as the finder. (horizon3.ai) (activemq.apache.org) The bug sits in ActiveMQ Classic, not ActiveMQ Artemis, the newer broker line. Horizon3.ai said Classic’s web console on port 8161 exposes Jolokia, and Apache’s Classic security page shows a string of earlier remote-code-execution and Jolokia-related flaws, including CVE-2023-46604 and CVE-2022-41678. (horizon3.ai) (activemq.apache.org) Apache released ActiveMQ Classic 6.2.2 on March 24, 2026, then followed with 6.2.3 as the fixed version for this issue. That leaves organizations that moved to 6.2.x in late March needing to verify whether they are still one version short of the patch. (activemq.apache.org 1) (activemq.apache.org 2) For defenders, the immediate work is basic but time-sensitive: find every ActiveMQ Classic instance, check whether the web console and Jolokia are exposed, rotate weak credentials, and document emergency changes before the April 30 deadline hits federal agencies. (cisa.gov) (activemq.apache.org)