About Remote Code Execution - Apache ActiveMQ (CVE-2026-34197) vulnerability. Apache ActiveMQ is a popular open-source message broker written in Java. Its main purpose is to send messages between different services, systems, and microservices without a direct connection between them.

This vulnerability is from the April Linux Patch Wednesday. Details about this vulnerability were published on April 7 in the HORIZON3.ai company blog. They claim that the Apache ActiveMQ Classic vulnerability has been hiding in plain sight for 13 years. An attacker can invoke a management operation through ActiveMQ's Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS commands. As a result, the attacker can gain access to sensitive information, including messages, credentials, and configuration files, deploy malware, or use the compromised server to conduct further attacks within the internal infrastructure.

The vulnerability requires credentials, but default credentials (admin:admin) are common in many environments. On some versions (6.0.0–6.1.1), no credentials are required at all due to another vulnerability, CVE-2024-32114, which inadvertently exposes the Jolokia API without authentication. In those versions, CVE-2026-34197 is effectively an unauthenticated RCE.

🛠 Public exploits have been available on GitHub since April 8.

👾 Indicators of exploitation in the wild were observed by FortiGuard experts on April 13. The vulnerability was added to the CISA KEV catalog on April 16.

🌐 According to data from The Shadowserver Foundation, as of May 14, approximately 7,000 vulnerable Apache ActiveMQ servers remain exposed on the internet.

⚙️ According to the vendor bulletin, the vulnerability has been fixed in ActiveMQ versions 5.19.4 and 6.2.3. However, according to HORIZON3.ai, it was fixed in 5.19.6 and 6.2.5. It is better to install newer versions. 😉