Security CISA tells feds to patch 13-year-old Apache ActiveMQ bug under active attack Bug hiding in plain sight for over a decade lands on KEV list Carly Page Fri 17 Apr 2026 // 17:09 UTC CISA is sounding the alarm on a newly-exploited Apache ActiveMQ bug, ordering federal agencies to patch within two weeks as attackers circle a flaw that's been quietly lurking for more than a decade. The US cybersecurity agency added the bug, tracked as CVE-2026-34197, to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, triggering a Binding Operational Directive (BOD) 22-01 deadline that gives Federal Civilian Executive Branch agencies until April 30 to fix their systems or get ready to explain why not. The bug sits in Apache ActiveMQ, an open source message broker used to shuttle data between applications and services, and allows an authenticated user to execute arbitrary code via the broker's Jolokia management API – effectively turning a messaging workhorse into a remote command runner. It was disclosed just over a week ago by Horizon3 researcher Naveen Sunkavally, who used Anthropic's Claude AI assistant to help dig it out. According to Horizon3, the issue has been sitting in the codebase for 13 years, unnoticed until now. Patches are available in ActiveMQ versions 5.19.5 and 6.2.3. "CVE-2026-34197 is a remote code execution vulnerability in Apache ActiveMQ Classic that has been hiding in plain sight for 13 years," Sunkavally said. "An attacker can invoke a management operation through ActiveMQ's Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS commands." While the bug technically requires authentication, Horizon3 notes that many deployments still rely on default credentials – the ever-reliable "admin:admin" – making initial access trivial. Worse, on certain versions (6.0.0 through 6.1.1), an older flaw, CVE-2024-32114, can expose the Jolokia API without authentication entirely, turning this into a no-credentials-needed remote code execution chain. "The vulnerability requires credentials, but default credentials are common in many environments," Sunkavally said. "On some versions… no credentials are required at all… In those versions, CVE-2026-34197 is effectively an unauthenticated RCE." Like burglars closing a door, Apache ActiveMQ attackers patch critical vuln after breaking in Red Hat middleware takes a back seat in strategic shuffle Encrypted mail service Proton hands suspect's personal info to local cops Critical Apache ActiveMQ flaw under attack by 'clumsy' ransomware crims That combination is exactly the sort of thing that lands a bug on CISA's KEV list, which is reserved for vulnerabilities already being exploited in the wild. And there's plenty of exposed surface to aim at: threat monitoring outfit ShadowServer is tracking more than 8,000 ActiveMQ instances reachable from the public internet. This isn't ActiveMQ's first run-in with attackers, either. The platform has featured in its fair share of compromises , from cryptominers to botnet infrastructure. As Sunkavally pointed out, none of this is especially novel, which puts the onus squarely on admins to move quickly. ® Share More about Apache Software Foundation More like these × More about Apache Software Foundation Narrower topics Apache HTTP Server Log4j More about Share POST A COMMENT More about Apache Software Foundation More like these × More about Apache Software Foundation Narrower topics Apache HTTP Server Log4j TIP US OFF Send us news