The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of a high‑severity remote code execution (RCE) vulnerability in Apache ActiveMQ Classic, tracked as CVE‑2026‑34197. The flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, signalling verified malicious activity in the wild and elevating remediation priority for all organizations using affected versions of ActiveMQ.
The flaw enables attackers to execute arbitrary operating system commands on vulnerable ActiveMQ brokers by abusing the Jolokia JMX-HTTP management API. In certain versions, the vulnerability can be exploited without authentication, significantly increasing the risk to internet-exposed and poorly secured environments. Organizations running affected versions are strongly advised to patch immediately and investigate for signs of compromise.
CVE-2026-34197 is caused by improper input validation and unsafe code execution paths in Apache ActiveMQ Classic. Specifically, the issue resides in the way the broker’s Jolokia management interface exposes sensitive JMX operations, such as BrokerService.addNetworkConnector().
An attacker can exploit this behaviour to coerce the broker into loading a remote, attacker-controlled Spring XML configuration file, which is executed during initialization. Because Spring instantiates all beans before validation occurs, this sequence results in arbitrary code execution within the ActiveMQ JVM process.
Although the exploit path typically requires authentication, the use of default credentials (admin:admin) is common in real-world deployments. Furthermore, ActiveMQ versions 6.0.0 through 6.1.1 are affected by a separate vulnerability (CVE-2024-32114) that exposes the Jolokia endpoint without authentication, effectively making CVE-2026-34197 an unauthenticated RCE in those versions.
The vulnerability impacts the following Apache ActiveMQ Classic components and versions:
Apache ActiveMQ Artemis is not affected.
CISA has confirmed active exploitation in the wild, prompting the addition of CVE-2026-34197 to the KEV Catalog. While technical details of live attacks remain limited, multiple security monitoring providers report increasing reconnaissance and exploitation attempts against publicly exposed Jolokia endpoints associated with ActiveMQ Classic brokers.
This exploitation follows a recurring pattern: Apache ActiveMQ has been repeatedly targeted by threat actors in recent years, including exploitation of CVE-2023-46604, which was weaponized in 2025 to deploy Linux malware. The addition of this vulnerability to the KEV list signals a credible and ongoing threat to enterprise and government environments.
Successful exploitation allows attackers to:
Given ActiveMQ’s role as middleware in critical business processes, compromise can lead to significant operational disruption, data exposure, and downstream system compromise. The risk is especially acute where brokers are internet-facing or use default credentials.
Organizations should review ActiveMQ broker and application logs for the following suspicious activity:
These indicators may suggest attempted or successful exploitation.
CISA strongly recommends prioritizing remediation of this vulnerability regardless of sector, even though KEV deadlines formally apply only to U.S. federal agencies.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively get in touch to find out how you can protect your organisation.