Apache ActiveMQ Remote Code Execution Vulnerability Added to CISA KEV (CVE-2026-34197)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-34197, a critical Remote Code Execution (RCE) vulnerability affecting Apache ActiveMQ, to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. This flaw stems from improper input validation within the Jolokia JMX-HTTP bridge, allowing authenticated attackers to execute arbitrary code on the broker's JVM by loading remote Spring XML contexts. Affected versions include ActiveMQ Broker prior to 5.19.4 and 6.0.0 before 6.2.3. Successful exploitation compromises system integrity and enables full control over vulnerable installations. Organizations are urged to prioritize patching to versions 5.19.4 or 6.2.3 by the April 30, 2026 deadline. Immediate mitigation is essential to prevent unauthorized code execution. Security teams should utilize scanning tools, such as Qualys QID 733976, to identify exposed assets and ensure compliance with CISA directives to maintain operational security.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns of active exploitation of the Apache ActiveMQ vulnerability (CVE-2026-34197). CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, urging users to patch before April 30, 2026. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on vulnerable installations. Apache ActiveMQ is a popular, open-source, multi-protocol Java-based message broker designed to facilitate communication between distributed … Continue reading "Apache ActiveMQ Remote Code Execution Vulnerability Added to CISA KEV (CVE-2026-34197)"

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-34197, a critical Remote Code Execution (RCE) vulnerability affecting Apache ActiveMQ, to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. This flaw stems from improper input validation within the Jolokia JMX-HTTP bridge, allowing authenticated attackers to execute arbitrary code on the broker's JVM by loading remote Spring XML contexts. Affected versions include ActiveMQ Broker prior to 5.19.4 and 6.0.0 before 6.2.3. Successful exploitation compromises system integrity and enables full control over vulnerable installations. Organizations are urged to prioritize patching to versions 5.19.4 or 6.2.3 by the April 30, 2026 deadline. Immediate mitigation is essential to prevent unauthorized code execution. Security teams should utilize scanning tools, such as Qualys QID 733976, to identify exposed assets and ensure compliance with CISA directives to maintain operational security. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns of active exploitation of the Apache ActiveMQ vulnerability (CVE-2026-34197). CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, urging users to patch before April 30, 2026. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on vulnerable installations. Apache ActiveMQ is a popular, open-source, multi-protocol Java-based message broker designed to facilitate communication between distributed … Continue reading "Apache ActiveMQ Remote Code Execution Vulnerability Added to CISA KEV (CVE-2026-34197)" The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns of active exploitation of the Apache ActiveMQ vulnerability (CVE-2026-34197). CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog , urging users to patch before April 30, 2026. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on vulnerable installations. Apache ActiveMQ is a popular, open-source, multi-protocol Java-based message broker designed to facilitate communication between distributed applications. It supports standard messaging protocols (AMQP, MQTT, STOMP) and acts as an intermediary, enabling reliable asynchronous messaging and decoupling of system components. Vulnerability Details An improper input validation and code injection vulnerability in Apache ActiveMQ Broker exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport’s brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring’s ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker’s JVM through bean factory methods such as Runtime.exec(). Affected Versions Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4 Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.3 Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.4 Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3 Mitigation Users must upgrade to the Apache ActiveMQ version 5.19.4 or 6.2.3 to patch the vulnerability. For more information, please refer to the Apache security advisory . Qualys Detection Qualys customers can scan their devices with QID 733976 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities. References https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt