ActiveMQ RCE exploited in the wild (CVE-2026-34197) [PoC]

Overview

A critical vulnerability in Apache ActiveMQ Classic allows authenticated attackers to execute arbitrary code on the broker server. This flaw, tracked as CVE-2026-34197, is being actively exploited in the wild, necessitating urgent action.

Vulnerability Details

The vulnerability stems from two issues in the ActiveMQ web console. First, the integrated Jolokia JMX-HTTP bridge, accessible at the /api/jolokia/ endpoint, has a default access policy that permits “exec” operations on critical broker management beans. Second, there is improper input validation in certain broker functions that an attacker can leverage.

An authenticated attacker can exploit this by sending a crafted request that tricks the broker into loading a malicious Spring XML configuration file from a remote, attacker-controlled server. This configuration file can contain instructions that force the broker to execute arbitrary operating system commands on the underlying host with the privileges of the ActiveMQ Java process.

Affected Versions

This issue affects the following Apache ActiveMQ Classic versions:

• Versions before 5.19.4
• Versions from 6.0.0 before 6.2.3

Impact

Successful exploitation results in full Remote Code Execution (RCE) on the ActiveMQ broker host. This gives an attacker the ability to install malware, exfiltrate data, pivot to other systems on the network, or cripple the messaging service. Given that this vulnerability is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, organizations must assume attackers are already using it to compromise systems.

Remediation and Mitigation

The primary and definitive solution is to upgrade your ActiveMQ installation immediately.

• Upgrade to Apache ActiveMQ Classic version 5.19.4 or 6.2.3.

If immediate upgrade is not possible, apply the following mitigations:

1. Restrict Network Access: Ensure the ActiveMQ web console (including the /api/jolokia/ endpoint) is not exposed to untrusted networks, especially the internet. Use firewall rules or network segmentation.
2. Harden Jolokia Access: Modify the Jolokia access policy (jolokia-access.xml) to explicitly deny “exec” operations or restrict access to trusted IP addresses only. Refer to the official Apache advisory for specific configuration guidance.
3. Monitor for Compromise: Actively review broker logs for suspicious activity and monitor systems for unexpected processes or network connections, as this vulnerability is actively exploited. For more on the tactics of threat actors, you can review recent breach reports.

Security Insight

This vulnerability highlights the persistent risk of exposed management interfaces, a pattern seen in incidents like the Log4Shell exploitation chain. The default permissive policy in Jolokia, combined with a code injection path in a core broker function, created a potent RCE vector. It underscores that for middleware like message brokers, hardening default configurations of auxiliary services is as critical as securing the primary application logic. For the latest on such threats, follow our security news coverage.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs