Ethical Hacking News
CISA has issued an urgent alert about a 13-year-old Apache ActiveMQ bug that allows attackers to execute arbitrary code via the broker's Jolokia management API. With more than 8,000 instances of ActiveMQ tracking exposed to the public internet, organizations must take immediate action to patch their systems or risk potential exposure.
A critical vulnerability has been discovered in Apache ActiveMQ that has been quietly lurking for over 13 years.The bug, CVE-2026-34197, allows an authenticated user to execute arbitrary code via the broker's Jolokia management API.Patches are available in ActiveMQ versions 5.19.5 and 6.2.3.Default credentials are common in many environments, making this vulnerability particularly concerning.Over 8,000 ActiveMQ instances are reachable from the public internet, making it an attractive target for attackers.The bug's presence highlights the need for constant vigilance and rapid patching to prevent potential exploitation.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert to federal agencies, warning them of a critical vulnerability in Apache ActiveMQ that has been quietly lurking for over 13 years. The bug, tracked as CVE-2026-34197, allows an authenticated user to execute arbitrary code via the broker's Jolokia management API, effectively turning a messaging workhorse into a remote command runner.
This alarming discovery was made just over a week ago by Horizon3 researcher Naveen Sunkavally, who used Anthropic's Claude AI assistant to help dig out the issue. According to Sunkavally, the bug has been sitting in the codebase for 13 years, unnoticed until now. Patches are available in ActiveMQ versions 5.19.5 and 6.2.3.
The vulnerability is particularly concerning because it requires authentication, but default credentials are common in many environments. In fact, on certain versions (6.0.0 through 6.1.1), an older flaw, CVE-2024-32114, can expose the Jolokia API without authentication entirely, turning this into a no-credentials-needed remote code execution chain.
The impact of this vulnerability cannot be overstated. Threat monitoring outfit ShadowServer is tracking more than 8,000 ActiveMQ instances reachable from the public internet, making it an attractive target for attackers. The fact that this bug has been sitting in plain sight for so long and only recently gained attention highlights the need for constant vigilance and rapid patching.
CISA's Known Exploited Vulnerabilities (KEV) catalog added the bug to its list just a week ago, triggering a Binding Operational Directive (BOD) 22-01 deadline that gives Federal Civilian Executive Branch agencies until April 30 to fix their systems or get ready to explain why not. This directive is designed to ensure that federal agencies take prompt action to address the vulnerability and prevent potential exploitation.
The bug's presence in Apache ActiveMQ, an open source message broker used to shuttle data between applications and services, has significant implications for organizations that rely on this software. The fact that attackers can invoke a management operation through ActiveMQ's Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS commands highlights the severity of the issue.
In recent years, Apache ActiveMQ has faced several security issues, including being compromised by cryptominers and botnet infrastructure. However, this latest vulnerability stands out due to its potential for widespread exploitation and the fact that it has been hiding in plain sight for so long.
The onus is squarely on admins to move quickly to patch their systems or risk facing potential exposure. The fact that none of this is especially novel highlights the need for constant monitoring and patching, as well as education and awareness among developers and administrators.
As CISA's alert emphasizes, this bug is not a new development, but it has now gained attention due to its potential for exploitation. Organizations must take swift action to address this vulnerability and ensure that their systems are secure against potential attacks.
In conclusion, the recent discovery of the 13-year-old Apache ActiveMQ bug serves as a stark reminder of the importance of constant vigilance and rapid patching in the face of emerging security threats. CISA's alert highlights the need for federal agencies to take immediate action to address this vulnerability and prevent potential exploitation.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Issues-Urgent-Alert-13-Year-Old-Apache-ActiveMQ-Bug-Under-Attack-ehn.shtml
Published: Fri Apr 17 13:33:27 2026 by llama3.2 3B Q4_K_M
