Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation
ثغرة خطيرة فـ Apache ActiveMQ (CVE-2026-34197) تزيدات لـ Catalog ديال CISA KEV
Critical Apache ActiveMQ Vulnerability (CVE-2026-34197) Added to CISA KEV Catalog
TL;DR
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw in Apache ActiveMQ Classic (CVE-2026-34197) to its Known Exploited Vulnerabilities (KEV) catalog. The flaw allows for Remote Code Execution (RCE) via the Jolokia API and has reportedly been "hiding in plain sight" for over a decade. Organizations are urged to patch immediately.
Overview of CVE-2026-34197
A high-severity security vulnerability in Apache ActiveMQ Classic, tracked as CVE-2026-34197, is currently being exploited in the wild. With a CVSS score of 8.8, the flaw is characterized as an improper input validation issue that leads to code injection.
According to Naveen Sunkavally of Horizon3.ai, this vulnerability has existed for approximately 13 years. The flaw allows an attacker to use ActiveMQ’s Jolokia API to invoke management operations that trick the broker into fetching a remote configuration file. This sequence ultimately enables the execution of arbitrary OS commands on the susceptible system.
Authentication and Exploitation Paths
The barrier to exploitation varies depending on the specific version of ActiveMQ in use:
- Credentialed Access: In many environments, the vulnerability requires credentials. However, the use of default credentials (e.g.,
admin:admin) remains a common security gap that attackers can easily leverage. - Unauthenticated RCE: For versions 6.0.0 through 6.1.1, the vulnerability is effectively an unauthenticated RCE. This is due to a secondary vulnerability, CVE-2024-32114, which inadvertently exposes the Jolokia API without requiring any authentication.
SAFE Security has reported that threat actors are actively targeting these exposed Jolokia management endpoints.
Affected Versions
The vulnerability impacts the following versions of Apache ActiveMQ:
- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker): Versions before 5.19.4 and versions 6.0.0 before 6.2.3.
- Apache ActiveMQ (org.apache.activemq:activemq-all): Versions before 5.19.4 and versions 6.0.0 before 6.2.3.
CISA Mandate and Recommendations
Due to active exploitation, CISA has added CVE-2026-34197 to its KEV catalog. Federal Civilian Executive Branch (FCEB) agencies are required to apply necessary fixes by April 30, 2026.
Recommended Actions:
- Upgrade: Users should immediately upgrade to version 5.19.4 or 6.2.3 to mitigate the risk.
- Audit Endpoints: Organizations should audit all deployments for externally accessible Jolokia endpoints.
- Restrict Access: If Jolokia is required, restrict access to trusted networks and enforce strong authentication.
- Disable Unnecessary Services: Disable the Jolokia API entirely in environments where it is not required for operations.
Context: A Recurring Target
Apache ActiveMQ is a frequent target for cyberattacks due to its critical role in enterprise messaging and data pipelines. In August 2025, a separate vulnerability (CVE-2023-46604) was weaponized to distribute "DripDropper" Linux malware.
The rapid exploitation of CVE-2026-34197 highlights a continuing trend where the timeline between vulnerability disclosure and active exploitation continues to collapse, leaving organizations with a narrow window to secure their systems.
While CISA has confirmed active exploitation, specific details regarding the identity of the threat actors or the exact methods of their current campaigns have not been disclosed.
Source: https://thehackernews.com/2026/04/apache-activemq-cve-2026-34197-added-to.html
