Shadowserver finds 6,364 ActiveMQ instances

Apache ActiveMQ is software that passes messages between applications, like a mailroom for Java systems. Shadowserver said 6,364 internet-exposed ActiveMQ servers matched a vulnerable version on April 19. (shadowserver.org 1) (shadowserver.org 2) The flaw Shadowserver flagged is CVE-2026-34197, a code-injection bug in ActiveMQ Classic that Apache patched on March 30 in versions 5.19.4 and 6.2.3. CISA said on April 16 that the bug was already being exploited. (activemq.apache.org) (cisa.gov) Shadowserver says its check is version-based, not an intrusive exploit attempt. It probes the OpenWire service on port 61616, reads the broker version, and tags systems that match vulnerable releases. (shadowserver.org) Apache ActiveMQ’s recent bugs center on Jolokia, a web bridge into Java management controls. In plain terms, Jolokia can expose broker admin functions over HTTP, and several 2026 advisories say authenticated users could turn those controls into remote code execution. (activemq.apache.org 1) (activemq.apache.org 2) Apache published a second warning, CVE-2026-40466, after the first fix. The advisory says an authenticated attacker could bypass the CVE-2026-34197 patch through an HTTP discovery connector and then load a remote Spring XML context to run code on the broker’s Java virtual machine. (activemq.apache.org) That bypass affects ActiveMQ releases before 5.19.6 and 6.2.5, which means some systems patched for the March bug still needed another update in April. Apache’s security page also lists CVE-2026-41044, another authenticated remote-code-execution issue via a Jolokia-exposed DestinationView management bean, and CVE-2026-41043, a queue-browsing cross-site scripting bug in the web console. (activemq.apache.org 1) (activemq.apache.org 2) (activemq.apache.org 3) BleepingComputer reported that Shadowserver’s exposed-vulnerable count was concentrated in Asia, North America, and Europe. The same report said CISA ordered Federal Civilian Executive Branch agencies to secure affected servers by April 30 after first adding the flaw to the Known Exploited Vulnerabilities program. (bleepingcomputer.com) (cisa.gov) CISA’s catalog now lists CVE-2026-34197 with a May 8 remediation due date, reflecting a later catalog update than the April 16 alert. For defenders outside the federal government, the practical issue is exposure: Shadowserver says internet-reachable ActiveMQ services should be restricted to trusted sources, and any host tagged for CVE-2026-34197 should be investigated for compromise and patched. (cisa.gov) (shadowserver.org) The count of 6,364 does not mean 6,364 confirmed break-ins. It means thousands of publicly reachable message brokers were still advertising vulnerable software after Apache had already shipped one fix and then disclosed more flaws in the same attack surface. (shadowserver.org) (activemq.apache.org)