CISA Flags Apache ActiveMQ Flaw as Actively Exploited in Attacks

What happened

CISA has added a high-severity Apache ActiveMQ vulnerability, tracked as CVE-2026-34197, to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw went undetected for 13 years before being discovered by Horizon3 researcher Naveen Sunkavally using an AI assistant. The vulnerability stems from improper input validation and allows authenticated attackers to execute arbitrary code via injection attacks. Apache patched the flaw on March 30 in ActiveMQ Classic versions 6.2.3 and 5.19.4. CISA has ordered Federal Civilian Executive Branch agencies to patch by April 30 under Binding Operational Directive 22-01. Threat monitoring service ShadowServer is currently tracking more than 7,500 Apache ActiveMQ servers exposed online. Horizon3 noted that exploitation evidence can be found in ActiveMQ broker logs by looking for suspicious broker connections using the brokerConfig=xbean:http:// query parameter and the internal VM transport protocol. This is the third Apache ActiveMQ vulnerability CISA has flagged as actively exploited, following CVE-2023-46604 and CVE-2016-3088.

Who is affected

Any organization running Apache ActiveMQ is directly exposed, with more than 7,500 servers currently visible on the public internet. FCEB agencies face a mandatory April 30 patch deadline, but CISA has urged private-sector defenders to treat patching as an equal priority. ActiveMQ’s widespread use as a message broker across enterprise environments broadens the potential attack surface significantly.

Why CISOs should care

Apache ActiveMQ has now attracted three separate KEV listings, and Horizon3 has explicitly warned that exploitation methods for the platform are well understood by attackers. The 13-year window during which this flaw went undetected highlights the risk of long-lived vulnerabilities in widely deployed open-source infrastructure components. With over 7,500 instances exposed and active exploitation already confirmed, organizations running ActiveMQ have a narrow window to act.

3 practical actions

1. Patch immediately: Upgrade affected ActiveMQ Classic instances to versions 6.2.3 or 5.19.4, where the vulnerability was remediated on March 30, and treat this as high priority given confirmed active exploitation.
2. Hunt for signs of compromise: Review ActiveMQ broker logs for suspicious connections using the brokerConfig=xbean:http:// query parameter or the internal VM transport protocol as indicators of exploitation attempts.
3. Reduce internet exposure: Audit whether any ActiveMQ servers are unnecessarily accessible from the public internet and restrict access to only those systems and users that require it.

For more news about security flaws under active exploitation, click Vulnerability to read more.