Apache has patched a critical remote code execution vulnerability in its ActiveMQ Broker, tracked as CVE-2026-34197, which has been actively exploited in the wild. The flaw, with a CVSS score of 8.8, affects the Jolokia JMX-HTTP bridge, a component exposed at `/api/jolokia/` on the ActiveMQ web console. This vulnerability arises from improper input validation and code injection issues, categorized under CWE-20 and CWE-94.
The vulnerability was disclosed on April 7, 2026, and within just 5.7 days, attackers began exploiting it, underscoring the urgency for organizations to apply the patch. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, highlighting its significance and the need for immediate remediation.
The Jolokia JMX-HTTP bridge, by default, allows exec operations, which attackers can leverage to execute arbitrary code on vulnerable systems. This makes the flaw particularly dangerous, as it can lead to full system compromise if exploited. The availability of nine proof-of-concept (PoC) exploits further exacerbates the risk, providing attackers with ready-made tools to target unpatched systems.
Reports indicate that over 6,000 Apache ActiveMQ instances are currently exposed online, making them potential targets for exploitation. These instances are spread across various sectors, including finance, healthcare, and government, which rely on ActiveMQ for message brokering and integration services. The widespread exposure of these instances highlights a significant attack surface that could be exploited by malicious actors.
Organizations using Apache ActiveMQ are urged to apply the latest patches immediately to mitigate the risk of exploitation. The Apache Software Foundation has released updates to address the vulnerability, and administrators should ensure that their systems are updated to the latest version. Additionally, reviewing and tightening Jolokia access policies can help reduce the risk of unauthorized access and exploitation.
Security teams should also monitor for any signs of compromise, such as unusual network activity or unexpected system behavior, which could indicate an attempted or successful exploitation of the vulnerability. Implementing network segmentation and access controls can further protect critical systems from being compromised.
Given the high severity of this vulnerability and its active exploitation, organizations should prioritize patching and take proactive measures to secure their ActiveMQ deployments. The rapid exploitation timeline and the availability of PoC exploits underscore the need for vigilance and prompt action in the face of emerging threats.
CSURFACE