### Active Exploitation of CVE-2026-34197 A recently disclosed high-severity security flaw in **Apache ActiveMQ Classic** is under active exploitation, prompting a warning from **CISA**. The agency has added the vulnerability, tracked as **CVE-2026-34197** (CVSS score: 8.8), to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply fixes by April 30, 2026. This highlights the critical nature of the flaw. ### Technical Details of the Vulnerability **CVE-2026-34197** involves improper input validation leading to code injection. According to **Horizon3.ai**'s Naveen Sunkavally, this vulnerability has been present for 13 years. An attacker can leverage **ActiveMQ**'s Jolokia API to trick the broker into fetching a remote configuration file and executing arbitrary OS commands. Sunkavally noted, "An attacker can invoke a management operation through ActiveMQ's Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS commands." The vulnerability requires credentials, but default credentials (admin:admin) are often used. Notably, versions 6.0.0–6.1.1 do not require authentication due to **CVE-2024-32114**, effectively making **CVE-2026-34197** an unauthenticated RCE. ### Affected Versions and Mitigation The vulnerability impacts the following versions: * Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4 * Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.3 * Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.4 * Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3 Users are strongly advised to upgrade to versions 5.19.4 or 6.2.3 to address the issue. ### Exploitation in the Wild While specific details on the exploitation of **CVE-2026-34197** are limited, **SAFE Security** reported active targeting of exposed Jolokia management endpoints in **Apache ActiveMQ Classic** deployments. **Fortinet** FortiGuard Labs has also uncovered numerous exploitation attempts, peaking on April 14, 2026. These findings highlight the collapsing timelines between vulnerability disclosure and active exploitation. ### ActiveMQ: A Frequent Target **Apache ActiveMQ** has been a frequent target for attackers. Flaws in the open-source message broker have been repeatedly exploited in malware campaigns since 2021. In August 2025, **CVE-2023-46604** was weaponized to deploy the DripDropper Linux malware. ### Recommendations **SAFE Security** advises auditing deployments for externally accessible Jolokia endpoints, restricting access, enforcing strong authentication, and disabling Jolokia where not required. Given ActiveMQ's role in enterprise messaging, exposed management interfaces pose a significant risk of data exfiltration, service disruption, and lateral movement.