24/04/2026

Week 17 – ActiveMQ Bug Hidden for 13 Years

20 -26 Apr 2026

Our CVE of the Week series continues as we reveal an Apache ActiveMQ Classic vulnerability that went undetected for 13 years before being discovered with the help of the Claude AI assistant.

Tracked as CVE-2026-34197 (CVSS score: 8.8), this high-severity security flaw in Apache ActiveMQ stems from an improper input validation weakness that enables authenticated threat actors to execute arbitrary code on unpatched systems. An attacker can invoke a management operation through ActiveMQ’s Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS commands.

The vulnerability requires credentials, but default credentials (admin:admin) are common in many environments. On some versions (6.0.0–6.1.1), no credentials are required at all due to another vulnerability.

According to threat monitoring service ShadowServer, over 6,400 internet‑exposed IP addresses bearing Apache ActiveMQ fingerprints remain vulnerable, with the majority located in Asia (2,925), followed by North America (1,409) and Europe (1,334).

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also warned that this Apache ActiveMQ vulnerability is now actively exploited in attacks.

Admins are advised to search the ActiveMQ broker logs for signs of exploitation by looking for suspicious broker connections that use the internal transport protocol VM and the brokerConfig=xbean:http:// query parameter.

The vulnerability impacts the following versions:

Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4
Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.3
Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.4
Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3

To address the issue upgrade to version 5.19.5 or 6.2.3.

We recommend organizations running ActiveMQ treat this as a high priority, as ActiveMQ has been a repeated target for real-world attackers.

For more details, please visit:

https://www.bleepingcomputer.com/news/security/actively-exploited-apache-activemq-flaw-impacts-6-400-servers/

https://cvefeed.io/vuln/detail/CVE-2026-34197

https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt

https://horizon3.ai/attack-research/disclosures/cve-2026-34197-activemq-rce-jolokia/

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024 and 2025.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.

Author: White Hat IT Security

Filed Under: CVE of the Week

Tags: cve, cveoftheweek, cybersecurity, informationsecurity, whitehateu, WhiteHatSeries

Week 16 – Trusted Format, Hidden Threat: Exploiting Adobe Reader via PDF