Actively exploited Apache ActiveMQ flaw impacts 6,400 servers
Apache ActiveMQ code injection flaw CVE-2026-34197 actively exploited against 6,400+ exposed servers.
Summary
Shadowserver discovered over 6,400 publicly exposed Apache ActiveMQ servers vulnerable to CVE-2026-34197, a high-severity code injection flaw that enables authenticated attackers to execute arbitrary code. The vulnerability, found by Horizon3 researcher using AI analysis, remained undetected for 13 years before patches were released in March 2026. CISA has confirmed active exploitation and ordered Federal agencies to remediate by April 30.
Full text
Actively exploited Apache ActiveMQ flaw impacts 6,400 servers By Sergiu Gatlan April 21, 2026 07:17 AM 0 Nonprofit security organization Shadowserver found that over 6,400 Apache ActiveMQ servers exposed online are vulnerable to ongoing attacks exploiting a high-severity code injection vulnerability. Apache ActiveMQ is the most popular open-source multi-protocol message broker for asynchronous communication between Java applications. Tracked as CVE-2026-34197, the vulnerability was discovered by Horizon3 researcher Naveen Sunkavally using the Claude AI assistant after remaining undetected for 13 years. As Sunkavally explained, this security flaw stems from an improper input validation weakness that enables authenticated threat actors to execute arbitrary code on unpatched systems. The Apache maintainers have patched the vulnerability on March 30 in ActiveMQ Classic versions 6.2.3 and 5.19.4. As threat monitoring service ShadowServer warned on Monday, more than 6,400 IP addresses with Apache ActiveMQ fingerprints exposed online are also vulnerable to CVE-2026-34197 attacks, with most in Asia (2,925), North America (1,409), and Europe (1,334). Unpatched ActiveMQ servers exposed online (Shadowserver) The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also warned on Thursday that this Apache ActiveMQ vulnerability is now actively exploited in attacks and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their servers by April 30. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the cybersecurity agency warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." Horizon3 researchers advised admins to search the ActiveMQ broker logs for signs of exploitation by looking for suspicious broker connections that use the internal transport protocol VM and the brokerConfig=xbean:http:// query parameter. "We recommend organizations running ActiveMQ treat this as a high priority, as ActiveMQ has been a repeated target for real-world attackers, and methods for exploitation and post-exploitation of ActiveMQ are well-known," Horizon3 warned. CISA tagged two other Apache ActiveMQ vulnerabilities as exploited in the wild in recent years, tracked as CVE-2016-3088 and CVE-2023-46604, with the latter targeted by the TellYouThePass ransomware gang as a zero-day flaw. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: CISA flags Apache ActiveMQ flaw as actively exploited in attacks13-year-old bug in ActiveMQ lets hackers remotely execute commandsOver 84,000 Roundcube instances vulnerable to actively exploited flawHackers exploit Marimo flaw to deploy NKAbuse malware from Hugging FaceAdobe rolls out emergency fix for Acrobat, Reader zero-day flaw
Indicators of Compromise
- cve — CVE-2026-34197
- cve — CVE-2016-3088
- cve — CVE-2023-46604
- malware — TellYouThePass