CISA has added CVE-2026-34197 to its KEV catalog and ordered federal agencies to patch within two weeks as attackers exploit a 13-year-old Apache ActiveMQ flaw that allows remote code execution through default credentials.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive to federal agencies to patch a critical vulnerability in Apache ActiveMQ that has been actively exploited in the wild. The vulnerability, tracked as CVE-2026-34197, was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on April 16, 2026, triggering a Binding Operational Directive that requires Federal Civilian Executive Branch agencies to remediate the issue by April 30, 2026.
A Decade-Long Vulnerability Finally Discovered
The bug, which has been hiding in plain sight for 13 years, allows authenticated users to execute arbitrary code through Apache ActiveMQ's Jolokia management API. Apache ActiveMQ is an open-source message broker widely used to facilitate communication between applications and services in enterprise environments.
According to Horizon3 researcher Naveen Sunkavally, who discovered the vulnerability with assistance from Anthropic's Claude AI assistant, the flaw can be exploited to trick the broker into fetching remote configuration files and running arbitrary operating system commands. The vulnerability affects Apache ActiveMQ Classic versions prior to 5.19.5 and 6.2.3.
Authentication Bypass Makes Exploitation Trivial
While the vulnerability technically requires authentication, Sunkavally noted that many deployments continue to use default credentials, particularly the infamous "admin:admin" combination. This makes initial access trivial for attackers who can simply try common default credentials.
Even more concerning, certain ActiveMQ versions (6.0.0 through 6.1.1) are affected by an older vulnerability, CVE-2024-32114, which can expose the Jolokia API without any authentication. This creates a dangerous chain where attackers can achieve unauthenticated remote code execution on vulnerable systems.
"The vulnerability requires credentials, but default credentials are common in many environments," Sunkavally explained. "On some versions... no credentials are required at all... In those versions, CVE-2026-34197 is effectively an unauthenticated RCE."
Widespread Exposure and Active Exploitation
Threat monitoring organization ShadowServer has identified over 8,000 ActiveMQ instances accessible from the public internet, creating a substantial attack surface for malicious actors. The vulnerability's inclusion in CISA's KEV catalog confirms that it is being actively exploited in real-world attacks.
This is not the first time Apache ActiveMQ has been targeted by attackers. The platform has previously been used in various compromises, including cryptomining operations and botnet infrastructure deployments. The current exploitation campaign appears to be more sophisticated, with attackers potentially using the vulnerability as a foothold for broader network compromise.
Urgent Remediation Required
Federal agencies have until April 30, 2026, to patch their systems or prepare to explain their non-compliance to CISA. The agency's Binding Operational Directive 22-01 mandates that vulnerabilities on the KEV list must be remediated within specified timeframes to protect federal systems from known threats.
Organizations outside the federal government should also prioritize patching, as the widespread exposure of ActiveMQ instances makes this a significant risk for any organization using the software. Patches are available in ActiveMQ versions 5.19.5 and 6.2.3, and administrators should upgrade immediately if running vulnerable versions.
Broader Implications for Enterprise Security
This vulnerability highlights several critical issues in enterprise security practices. First, the 13-year timeframe during which this flaw remained undetected demonstrates how even widely-used open-source components can harbor serious vulnerabilities for extended periods. Second, the reliance on default credentials in production environments remains a persistent and dangerous practice.
The discovery also raises questions about the role of AI in vulnerability research. Sunkavally's use of Anthropic's Claude AI assistant to help identify the vulnerability suggests that AI tools may be accelerating the discovery of long-standing security flaws, potentially leading to more rapid identification of critical vulnerabilities in the future.
Recommended Actions
Organizations using Apache ActiveMQ should immediately:
- Verify their current version and determine if they are running a vulnerable release
- Apply patches available in versions 5.19.5 or 6.2.3
- Change any default credentials, especially for the admin account
- Review access controls for the Jolokia management API
- Monitor for suspicious activity on ActiveMQ instances
- Consider network segmentation to limit exposure of messaging infrastructure
For federal agencies, failure to comply with CISA's directive by the April 30 deadline could result in mandatory reporting requirements and potential scrutiny from oversight bodies. The two-week remediation window reflects the severity of the threat and the active exploitation in the wild.
The rapid response from CISA underscores the critical nature of this vulnerability and the agency's commitment to protecting federal systems from actively exploited threats. As attackers continue to target exposed messaging infrastructure, timely patching and proper security configuration remain essential defenses against compromise.
Comments
Please log in or register to join the discussion