CISA warned that a high-severity Apache ActiveMQ vulnerability patched on March 30 (CVE-2026-34197) is being actively exploited, prompting an emergency federal patching deadline under BOD 22-01. Discovered after 13 years by Horizon3 researcher Naveen Sunkavally using Claude AI, the input-validation flaw allows authenticated attackers to execute arbitrary code and ShadowServer reports over 7,500 exposed ActiveMQ servers online. #ApacheActiveMQ #CVE202634197
Keypoints
- CVE-2026-34197 is a high-severity ActiveMQ input-validation flaw that enables authenticated remote code execution.
- Apache patched the issue in ActiveMQ Classic versions 6.2.3 and 5.19.4 on March 30.
- CISA added the vulnerability to its KEV catalog and ordered federal agencies to patch by April 30 under BOD 22-01.
- Horizon3 advises checking broker logs for brokerConfig=xbean:http:// parameters and the VM internal transport as signs of exploitation.
- ShadowServer is tracking over 7,500 exposed ActiveMQ servers, and prior ActiveMQ flaws have been exploited by groups like TellYouThePass.