Apache ActiveMQ flaw exploited, 6,400 servers at risk
▼ Summary
– Over 6,400 Apache ActiveMQ servers online are vulnerable to attacks exploiting a high-severity code injection flaw.
– The vulnerability, CVE-2026-34197, was discovered with an AI assistant after going undetected for 13 years and allows authenticated attackers to run arbitrary code.
– The U.S. cybersecurity agency CISA confirms active exploitation and has ordered federal agencies to secure their servers by April 30.
– Most vulnerable servers are located in Asia, North America, and Europe, according to threat monitoring data.
– Administrators are advised to check logs for specific suspicious connections and treat patching as a high priority due to ActiveMQ’s history as a target.
A significant number of internet-facing servers are currently at risk due to a recently patched flaw in a widely used messaging platform. Security researchers have identified that more than 6,400 Apache ActiveMQ servers remain vulnerable to a high-severity code injection vulnerability that is now being actively exploited. This open-source message broker is a core component for asynchronous communication in countless Java-based applications.
The flaw, cataloged as CVE-2026-34197, was uncovered by a Horizon3 researcher using an AI assistant, revealing a weakness that had persisted undetected for over a decade. According to the researcher, the issue originates from improper input validation. This allows authenticated attackers to run arbitrary code on any system that has not been updated. Patches were released by Apache maintainers on March 30 for ActiveMQ Classic versions 6.2.3 and 5.19.4.
Despite the availability of fixes, threat monitoring indicates a widespread exposure problem. A recent scan by the Shadowserver Foundation shows thousands of vulnerable IPs online, with the highest concentrations located in Asia, North America, and Europe. The U. S. Cybersecurity and Infrastructure Security Agency (CISA) has added urgency to the situation, confirming active exploitation and mandating that federal agencies secure their systems by April 30. The agency emphasized that such vulnerabilities are a frequent and high-risk attack vector for malicious actors.
Administrators are urged to treat this with high priority. Horizon3 provided specific guidance for detecting potential breaches, suggesting that logs be examined for suspicious broker connections utilizing the internal VM transport protocol alongside a particular brokerConfig query parameter. The security firm noted that ActiveMQ has been a repeated target for real-world attacks, with well-documented methods for both exploitation and post-exploitation activities.
This incident is not an isolated one for the platform. CISA has previously flagged other Apache ActiveMQ vulnerabilities as being exploited in the wild, including CVE-2016-3088 and CVE-2023-46604. The latter was used as a zero-day by the TellYouThePass ransomware gang, underscoring the platform’s attractiveness to cybercriminals. The consistent pattern of attacks highlights the critical need for prompt patching and vigilant system monitoring.
(Source: BleepingComputer)
