Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation

Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Ravie LakshmananApr 17, 2026Vulnerability / Enterprise Security A recently disclosed high-severity security flaw in Apache ActiveMQ Classic has come under active exploitation in the wild, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA). To that end, the agency has added the vulnerability, tracked as CVE-2026-34197 (CVSS score: 8.8), to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by April 30, 2026. CVE-2026-34197 has been described as a case of improper input validation that could lead to code injection, effectively allowing an attacker to execute arbitrary code on susceptible installations. According to Horizon3.ai's Naveen Sunkavally, CVE-2026-34197 has been "hiding in plain sight" for 13 years.  "An attacker can invoke a management operation through ActiveMQ's Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS commands," Sunkavally added. "The vulnerability requires credentials, but default credentials (admin:admin) are common in many environments. On some versions (6.0.0–6.1.1), no credentials are required at all due to another vulnerability, CVE-2024-32114, which inadvertently exposes the Jolokia API without authentication. In those versions, CVE-2026-34197 is effectively an unauthenticated RCE." The vulnerability impacts the following versions - Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4 Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.3 Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.4 Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3 Users are advised to upgrade to version 5.19.4 or 6.2.3, which addresses the issue. There are currently no details on how CVE-2026-34197 is being exploited in the wild, but SAFE Security, in a report published this week, revealed that threat actors are actively targeting exposed Jolokia management endpoints in Apache ActiveMQ Classic deployments. The findings once again demonstrate that exploitation timelines continue to collapse as attackers pounce upon newly disclosed vulnerabilities at an alarmingly faster rate and breach systems before they can be patched. Apache ActiveMQ is a popular target for attack, with flaws in the open-source message broker repeatedly exploited in various malware campaigns since 2021. In August 2025, a critical vulnerability in ActiveMQ (CVE-2023-46604, CVSS score: 10.0) was weaponized by unknown actors to drop a Linux malware called DripDropper. "Given ActiveMQ’s role in enterprise messaging and data pipelines, exposed management interfaces present a high-impact risk, potentially enabling data exfiltration, service disruption, or lateral movement," SAFE Security said. "Organizations should audit all deployments for externally accessible Jolokia endpoints, restrict access to trusted networks, enforce strong authentication, and disable Jolokia where it is not required." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Apache ActiveMQ, CISA, cybersecurity, enterprise security, Malware, Open Source, remote code execution, Threat Intelligence, Vulnerability Trending News AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach Block the Prompt, Not the Work: The End of "Doctor No" Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Load More ▼ Popular Resources Learn How to Block Breached Passwords in Active Directory Before Attacks [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls Secure Your AI Systems Across the Full Lifecycle of Risks Get Full Visibility into Vendor and Internal Risk in One Platform