Shadowserver found more than 6,400 Apache ActiveMQ servers exposed online that are vulnerable to ongoing attacks exploiting a high-severity code-injection flaw tracked as CVE-2026-34197. Discovered by Horizon3 researcher Naveen Sunkavally using the Claude AI assistant after 13 years, the improper input validation bug allows authenticated attackers to execute arbitrary code and was patched in ActiveMQ Classic 6.2.3 and 5.19.4 on March 30; #ApacheActiveMQ #CVE-2026-34197
Keypoints
- Shadowserver reported over 6,400 exposed ActiveMQ instances vulnerable to CVE-2026-34197, with most located in Asia, North America, and Europe.
- The vulnerability was discovered by Horizon3 researcher Naveen Sunkavally using the Claude AI assistant after remaining undetected for 13 years.
- An improper input validation flaw enables authenticated actors to execute arbitrary code; Apache released patches for ActiveMQ Classic 6.2.3 and 5.19.4 on March 30.
- CISA warned the flaw is actively exploited and ordered federal agencies to secure affected servers by April 30, citing it as a frequent attack vector.
- Horizon3 advised searching ActiveMQ broker logs for VM transport connections and brokerConfig=xbean:http:// indicators, noting ActiveMQ has been repeatedly targeted, including past CVE-2016-3088 and CVE-2023-46604 incidents.