CISA tells feds to patch 13-year-old Apache ActiveMQ bug under active attack

April 17, 2026
aisecurityprivacylaw
A vibrant red Apache RR 310 motorcycle parked by a serene lake in Tamil Nadu, India, showcasing scenic beauty.
Photo by Akash A G on Pexels

Flash: urgent patching directive

CISA has added CVE-2026-34197 — a remote code execution flaw in Apache ActiveMQ — to its Known Exploited Vulnerabilities (KEV) catalog and ordered Federal Civilian Executive Branch agencies to remediate within two weeks under BOD 22‑01. The agency's move forces a hard deadline: patch by April 30 or document why you can't. Short and sharp. Move now.

The bug, the chain, and an AI-assisted discovery

The flaw lives in ActiveMQ's Jolokia management API and lets an authenticated user trick the broker into fetching a remote configuration and running arbitrary OS commands. Patches are available in ActiveMQ 5.19.5 and 6.2.3. It has been reported that Horizon3 researcher Naveen Sunkavally used Anthropic's Claude AI assistant in digging out the issue and disclosed the bug just over a week ago, saying it had sat in the codebase for 13 years. The kicker: while the bug requires credentials, Horizon3 alleges many deployments still use default logins — yes, admin:admin — and some ActiveMQ versions (6.0.0–6.1.1) can expose Jolokia without authentication, turning this into an effective unauthenticated RCE.

Scale and exploitation

CISA's KEV listing signals active exploitation; the catalog is reserved for vulnerabilities already being used in the wild. ShadowServer is tracking more than 8,000 ActiveMQ instances reachable from the public internet, so the attack surface is large. This isn't ActiveMQ's first rodeo with attackers — from cryptominers to botnet command-and-control, the platform has shown up in past compromises. So what's new? Not the technique, perhaps, but the urgency. A stealthy, long-lived bug suddenly weaponized. That's the emotional sting.

What admins need to do

Patch to the fixed releases immediately or apply mitigations — restrict Jolokia, rotate credentials, and harden access controls. If you're running versions flagged as vulnerable, assume compromise until proven otherwise. Questions? Start with inventory: where are your brokers exposed, and who still types admin:admin? Time to close the front door.

Sources: The Register