CISA flags Apache ActiveMQ flaw as actively exploited in attacks
CISA flags Apache ActiveMQ CVE-2026-34197 as actively exploited after 13-year concealment.
Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-34197, a high-severity Apache ActiveMQ vulnerability, to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw, which remained undetected for 13 years before being discovered by Horizon3 researcher Naveen Sunkavally using Claude AI, stems from improper input validation allowing authenticated attackers to execute arbitrary code via injection. CISA has ordered federal agencies to patch ActiveMQ servers by April 30, 2026, with ShadowServer currently tracking over 7,500 exposed instances online.
Full text
CISA flags Apache ActiveMQ flaw as actively exploited in attacks By Sergiu Gatlan April 17, 2026 05:30 AM 0 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday that a high-severity Apache ActiveMQ vulnerability patched earlier this month is now actively exploited in attacks. Apache ActiveMQ is the most popular open-source Java-based message broker for asynchronous communication between applications. Tracked as CVE-2026-34197, the security flaw has gone undetected for 13 years and was discovered by Horizon3 researcher Naveen Sunkavally using the Claude AI assistant. Sunkavally explained that the vulnerability stems from improper input validation, which allows authenticated threat actors to execute arbitrary code via injection attacks. The Apache maintainers patched the vulnerability on March 30in ActiveMQ Classic versions 6.2.3 and 5.19.4. "We recommend organizations running ActiveMQ treat this as a high priority, as ActiveMQ has been a repeated target for real-world attackers, and methods for exploitation and post-exploitation of ActiveMQ are well-known," Horizon3 warned. Threat monitoring service ShadowServer is currently tracking more than 7,500 Apache ActiveMQ servers exposed online. ActiveMQ servers exposed online (Shadowserver) On Thursday, CISA added CVE-2026-34197 to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch ActiveMQ servers within two weeks, by April 30, as mandated by Binding Operational Directive (BOD) 22-01. Horizon3 researchers said that signs of exploitation can be found by analyzing the ActiveMQ broker logs and recommended looking for suspicious broker connections that use the brokerConfig=xbean:http:// query parameter and the internal transport protocol VM. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the cybersecurity agency warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." It also urged private-sector defenders to prioritize patching for CVE-2026-35616 and to secure their organizations' networks as soon as possible, even though BOD 22-01 applies only to U.S. federal agencies. Previously, CISA tagged two other Apache ActiveMQ vulnerabilities as exploited in the wild, tracked as CVE-2023-46604 and CVE-2016-3088, with the former targeted by the TellYouThePass ransomware gang as a zero-day flaw. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: Hackers exploiting critical F5 BIG-IP flaw in attacks, patch now13-year-old bug in ActiveMQ lets hackers remotely execute commandsCritical Fortinet Forticlient EMS flaw now exploited in attacksCISA: New Langflow flaw actively exploited to hijack AI workflowsCritical Microsoft SharePoint flaw now exploited in attacks
Indicators of Compromise
- cve — CVE-2026-34197
- cve — CVE-2023-46604
- cve — CVE-2016-3088
- malware — TellYouThePass