Recent Apache ActiveMQ Vulnerability Exploited in the Wild

Organizations are warned that a recently patched vulnerability affecting Apache ActiveMQ Classic is being exploited in the wild.

The flaw is tracked as CVE-2026-34197 and it came to light roughly 10 days ago, after it lurked in the software’s code for 13 years. It has been patched with the release of versions 5.19.5 and 6.2.3.

Apache ActiveMQ is an open source, multi-protocol message broker that enables reliable, asynchronous communication between applications. 

CVE-2026-34197 is related to the Jolokia API and can allow an authenticated attacker to execute arbitrary code.

Horizon3, whose researchers discovered the vulnerability and published details on April 7, pointed out that while exploitation of CVE-2026-34197 requires authentication, many Apache ActiveMQ instances are protected by widely-known default credentials.

In addition, CVE-2026-34197 can be chained with an older vulnerability tracked as CVE-2024-32114 to achieve unauthenticated remote code execution.

The cybersecurity agency CISA added CVE-2026-34197 to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, instructing federal agencies to patch it by April 30.

No details appear to be publicly available about the attacks exploiting the vulnerability. However, Fortinet has seen dozens of exploitation attempts in the past week. 

SecurityWeek has reached out to the cybersecurity firm for more information on the nature of these exploitation attempts.

Related: Microsoft Patches Exploited SharePoint Zero-Day and 160 Other Vulnerabilities

Related: Exploited Vulnerability Exposes Nginx Servers to Hacking

Related: Cisco Patches Critical Vulnerabilities in Webex, ISE