Apache ActiveMQ RCE Added to CISA KEV After Exploit Surge

CISA added CVE-2026-34197 to its Known Exploited Vulnerabilities catalog on April 16, mandating that federal agencies patch by April 30. The flaw affects Apache ActiveMQ, a widely-deployed open-source message broker used in enterprise integration patterns across financial services, healthcare, and logistics.

What Makes This Dangerous

The vulnerability scores 8.8 on CVSS and stems from improper input validation in ActiveMQ's Jolokia management API. According to CISA's advisory, attackers can invoke management operations through Jolokia to trick the broker into fetching a remote configuration file and executing arbitrary OS commands.

Default credentials make this worse. Many ActiveMQ deployments still ship with admin:admin, effectively turning an authenticated vulnerability into a trivial compromise—a pattern we've seen repeatedly with SAP's recent SQL injection flaw where default configurations enabled exploitation. Versions 6.0.0 through 6.1.1 compound the problem—they're also vulnerable to CVE-2024-32114, which exposes Jolokia without authentication entirely.

Affected Versions

The flaw impacts:

• Apache ActiveMQ Broker before 5.19.4
• Apache ActiveMQ 6.0.0 through 6.2.2
• Apache ActiveMQ-all packages before corresponding versions

Organizations running ActiveMQ should upgrade immediately to version 5.19.4 or 6.2.3, which address the issue.

Active Exploitation Confirmed

Fortinet FortiGuard Labs documented dozens of exploitation attempts, with peak activity on April 14. Attackers are scanning for exposed Jolokia endpoints and probing default credentials. SAFE Security confirmed threat actors are actively exploiting vulnerable instances in the wild.

This pattern mirrors what we saw with Thymeleaf's SSTI bypass last week—Java ecosystem components continue attracting attackers who know enterprises struggle to keep middleware updated. The Protobuf.js RCE disclosure similarly highlighted how foundational libraries become high-value targets.

How Attacks Work

The exploitation chain follows a predictable sequence:

1. Attacker identifies ActiveMQ instance with exposed Jolokia API
2. Attempts authentication with default or weak credentials
3. Invokes management operation to fetch remote configuration
4. Configuration triggers OS command execution on the broker host

From there, attackers gain initial foothold and can pivot through the message broker's network position—often deep inside enterprise infrastructure where brokers handle sensitive transaction data.

Mitigation Steps

1. Upgrade immediately to ActiveMQ 5.19.4 or 6.2.3
2. Change default credentials if you haven't already (you should have)
3. Restrict Jolokia access to trusted networks only
4. Audit authentication logs for suspicious management API activity
5. Check for IOCs including unusual outbound connections from broker hosts

Organizations unable to patch immediately should block external access to the Jolokia endpoint at the network perimeter.

Why This Matters

Message brokers sit at the center of enterprise architecture. They handle inter-service communication, process financial transactions, and coordinate logistics operations. Compromising a message broker gives attackers visibility into business processes and a pivot point to connected systems.

ActiveMQ's prevalence makes it an attractive target. The Apache Software Foundation reports millions of deployments globally, and the broker integrates with virtually every enterprise Java framework. Attackers know that middleware updates often lag behind application patches—the operational risk of disrupting message flow keeps security teams cautious about broker maintenance windows.

CISA's April 30 deadline applies only to federal agencies, but private sector organizations face the same threat. If you're running ActiveMQ, treat this as a critical priority. The exploit is straightforward, the attack surface is large, and threat actors are already capitalizing on the vulnerability window.

For organizations evaluating their overall vulnerability management posture, this incident reinforces why knowing your software inventory matters—you can't patch what you don't know you're running.