ActiveMQ added to CISA KEV
A high‑severity Apache ActiveMQ vulnerability was added to CISA’s Known Exploited Vulnerabilities list after reports of active exploitation, with a patch deadline for federal systems set for April 30. The flaw was reportedly present for 13 years before being patched earlier this month. (bleepingcomputer.com) (thehackernews.com)
Apache ActiveMQ, an open-source message broker used to pass data between applications, is now on the Cybersecurity and Infrastructure Security Agency’s list of vulnerabilities under active attack. (cisa.gov) CISA added CVE-2026-34197 to its Known Exploited Vulnerabilities catalog on April 16 and gave federal civilian agencies until April 30, 2026, to fix it under Binding Operational Directive 22-01. (cisa.gov 1) (cisa.gov 2) The bug affects ActiveMQ Classic, the older branch of the software, not the newer Artemis project. Apache’s advisory says the flaw lets an authenticated user trigger remote code execution through the Jolokia management interface exposed at `/api/jolokia/` in the web console. (activemq.apache.org 1) (activemq.apache.org 2) Jolokia is a bridge that lets administrators send web requests to Java management tools, which are the control knobs for a running server. Apache said the default access policy allowed `exec` operations on ActiveMQ management objects, including methods that can add connectors from attacker-supplied strings. (activemq.apache.org) Apache assigned the flaw a CVSS severity score of 8.8 out of 10. The project said affected versions are ActiveMQ Classic before 5.19.4 and versions 6.0.0 through 6.2.2, with fixes in 5.19.4 and 6.2.3. (activemq.apache.org) (nvd.nist.gov) The timing is tight because Apache published the advisory earlier this month, and CISA moved it into KEV days later after evidence of exploitation. SecurityWeek and BleepingComputer both reported that attacks were already happening in the wild when CISA added the entry. (securityweek.com) (bleepingcomputer.com) Researchers told BleepingComputer the underlying mistake appears to date back about 13 years, which means the vulnerable code may have shipped across multiple long-lived ActiveMQ Classic releases before the April 2026 fix. (bleepingcomputer.com) Apache’s current download pages show 5.19.x as the supported stable Classic line and 6.1.x and 6.0.x as deprecated, which raises the odds that some organizations are still running older builds in production. The project posted 5.19.5 and 6.2.4 on April 8, 2026, after the patched 5.19.4 and 6.2.3 releases. (activemq.apache.org 1) (activemq.apache.org 2) For defenders, the immediate work is narrow: identify any exposed ActiveMQ Classic web consoles, restrict or disable Jolokia where possible, and move to a fixed release before the April 30 federal deadline. CISA’s catalog entry is the government’s signal that this is no longer a theoretical software bug. (cisa.gov) (activemq.apache.org)
