Remote Code Execution in Apache ActiveMQ Classic (CVE‑2026‑34197) Threatens Legacy Messaging Brokers
What It Is — A newly disclosed remote code execution (RCE) flaw in Apache ActiveMQ Classic allows an attacker to inject arbitrary Java code via malformed Jolokia/JMX requests. The bug stems from improper input validation across multiple loosely‑coupled components. Exploitability — Public proof‑of‑concept released; patched in March 2026; no evidence of active exploitation yet, but default credentials and an unauthenticated variant (CVE‑2024‑32114) lower the barrier.
Affected Products — Apache ActiveMQ Classic versions 5.0.0‑6.1.1 (including 6.0.0‑6.1.1) and any deployment exposing the Jolokia API without authentication.
TPRM Impact — Message brokers are often embedded in supply‑chain integrations, CI/CD pipelines, and IoT telemetry. Compromise can lead to lateral movement, ransomware drop‑offs, or data exfiltration across partner networks.
Recommended Actions
- Upgrade to ActiveMQ 6.2.3 or 5.19.4 immediately.
- Disable or restrict the Jolokia API; enforce strong authentication and rotate default credentials.
- Review broker logs for suspicious
addNetworkConnectorcalls,vm://URIs, outbound HTTP traffic, or unexpected child processes. - Conduct a rapid asset inventory to confirm no legacy Classic instances remain in production.
Source: Help Net Security