**Apache ActiveMQ**, a widely used open-source Java-based message broker, is under fire due to the exploitation of **CVE-2026-34197**. This critical vulnerability, which allows for remote code execution, was recently patched but is now being actively targeted in attacks. ### The Vulnerability Discovered by **Horizon3** researcher **Naveen Sunkavally** using the Claude AI assistant, **CVE-2026-34197** stems from improper input validation. An authenticated attacker can exploit this flaw to execute arbitrary code via injection attacks. The vulnerability was patched in ActiveMQ Classic versions 5.19.4 and 6.2.3 on March 30. Horizon3 has warned that ActiveMQ is a frequent target, and exploitation methods are well-documented. They strongly advise organizations to prioritize patching. ### Widespread Exposure According to threat monitoring service ShadowServer, over 7,500 Apache ActiveMQ servers are currently exposed online.  *ActiveMQ servers exposed online (Shadowserver)* ### CISA's Directive On Thursday, CISA added **CVE-2026-34197** to its Known Exploited Vulnerabilities (KEV) Catalog. Federal Civilian Executive Branch (FCEB) agencies are required to patch their ActiveMQ servers by April 30, following Binding Operational Directive (BOD) 22-01. ### Detection and Mitigation Horizon3 recommends analyzing ActiveMQ broker logs for suspicious broker connections using the `brokerConfig=xbean:http://` query parameter and the internal transport protocol `VM`. CISA advises private-sector organizations to prioritize patching **CVE-2026-34197** as well. ### Past Vulnerabilities CISA has previously flagged **CVE-2023-46604** and **CVE-2016-3088**, also in Apache ActiveMQ, as exploited in the wild. **CVE-2023-46604** was notably targeted by the **TellYouThePass** ransomware gang.