Ethical Hacking News
A previously unknown remote code execution (RCE) vulnerability has been discovered in Apache ActiveMQ Classic, a widely deployed open-source message broker, which can be exploited to execute arbitrary commands by attackers. The vulnerability, tracked as CVE-2026-34197, was uncovered using the Claude AI assistant and affects versions of Apache ActiveMQ/Broker before 5.19.4, and all versions from 6.0.0 up to 6.2.3. Researchers recommend that organizations running ActiveMQ treat this as a high priority due to its repeated targeting by real-world attackers.
A vulnerability was discovered in Apache ActiveMQ Classic, tracked as CVE-2026-34197.The vulnerability allows for remote code execution (RCE) due to exposure of a broker function in the Jolokia management API.Vulnerability affects versions 5.19.4 and earlier, and all versions from 6.0.0 up to 6.2.3.Another vulnerability CVE-2024-32114 exposes the API without access control, allowing attackers to execute commands remotely.The researchers recommend treating this as a high priority due to repeated targeting by real-world attackers.Organizations running ActiveMQ should ensure they are up-to-date with the latest security patches and monitor for suspicious connections.Ambient pentesting only covers one of six validation surfaces, and organizations should consider using both automated and Baseline Attack Simulation (BAS) testing tools.
Apache ActiveMQ is a widely used open-source message broker that handles asynchronous communication via message queues or topics. The platform has gained significant traction in enterprise, web backends, government, and company systems built on Java. However, like any complex software system, it is not immune to vulnerabilities.
In recent times, security researchers have been working tirelessly to identify and report newly discovered vulnerabilities in various software platforms. One such discovery was made by Horizon3 researcher Naveen Sunkavally, who utilized the Claude AI assistant to uncover a previously unknown remote code execution (RCE) vulnerability in Apache ActiveMQ Classic.
The vulnerability, tracked as CVE-2026-34197, has been found to be present in versions of Apache ActiveMQ/Broker before 5.19.4, and all versions from 6.0.0 up to 6.2.3. This means that any organization relying on these versions for its communication needs is at risk.
The vulnerability arises due to the exposure of a broker function (addNetworkConnector) in ActiveMQ’s Jolokia management API. According to Sunkavally, this feature was designed independently by different developers and as such, it did not have the typical safety checks that might be found in other software components. The researcher notes that "each feature in isolation does what it's supposed to, but they were dangerous together."
To exploit this vulnerability, an attacker would need to send a specially crafted request to the Jolokia API of the Apache ActiveMQ broker. By doing so, the attacker could force the broker to fetch a remote Spring XML file and execute arbitrary system commands during its initialization.
However, this is not the only way attackers can exploit this vulnerability. According to Horizon3, there is another vulnerability present in versions 6.0.0 through 6.1.1 of Apache ActiveMQ Classic (CVE-2024-32114), which exposes the API without access control. This means that even if an attacker has not managed to gain administrative privileges using the RCE vulnerability, they can still exploit this flaw to execute commands remotely.
The researchers from Horizon3 have stated that "we recommend organizations running ActiveMQ treat this as a high priority, as ActiveMQ has been a repeated target for real-world attackers." In fact, there are at least three documented cases of this software being exploited in the wild. These documented instances demonstrate how attackers can exploit the weaknesses present within the platform and utilize them to compromise the security of an organization.
One such case is CVE-2016-3088, which affected the web console of ActiveMQ and provided a vector for attackers to gain authenticated remote code execution. This was subsequently added to CISA’s Known Exploited Vulnerability (KEV) list.
Another documented instance is CVE-2023-46604, an unauthenticated RCE affecting the broker port. Like the first case mentioned above, it also found its way onto CISA's KEV list.
Given the historical presence of these vulnerabilities in various versions of Apache ActiveMQ Classic, and their repeated targeting by real-world attackers, it is clear that this platform has been a focal point for malicious actors seeking to exploit software security weaknesses.
The discovery of CVE-2026-34197 highlights the importance of ongoing vulnerability testing and patching. It is imperative that organizations running ActiveMQ treat this as a high priority and ensure they are up-to-date with the latest security patches. Additionally, it emphasizes the need for robust security controls in place to prevent exploitation of vulnerabilities such as those discovered by Horizon3.
In particular, the researchers recommend that any organization running ActiveMQ should look out for suspicious broker connections that use the internal transport protocol VM and the brokerConfig=xbean:http query parameter. If a warning message appears about a configuration problem during multiple connection attempts, it is likely that the payload has already been executed.
Furthermore, automated pentesting only covers one of six validation surfaces according to recent studies. It proves the path exists but does not guarantee whether controls stop it. Most teams run one without the other. Horizon3 researchers suggest that practitioners should consider using both automated and Baseline Attack Simulation (BAS) testing tools in their security audits.
A whitepaper recently published by an independent research firm offers valuable insights into validation surfaces, where coverage ends, and provides practical solutions for any tool evaluation. By utilizing this kind of comprehensive analysis, organizations can ensure they are providing robust protection against potential security threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Unearthing-the-Unseen-A-Deep-Dive-into-the-Newly-Disclosed-Apache-ActiveMQ-Classic-Vulnerability-ehn.shtml
https://www.bleepingcomputer.com/news/security/13-year-old-bug-in-activemq-lets-hackers-remotely-execute-commands/
https://cyberpress.org/claude-discovers-13-year-old-rce-vulnerability-in-apache-activemq-within-minutes/
Published: Wed Apr 8 12:57:08 2026 by llama3.2 3B Q4_K_M
