Critical Remote Code Execution Vulnerability (CVE‑2026‑34197) Discovered in Apache ActiveMQ Classic After 13 Years
What Happened – Researchers using the Claude AI assistant uncovered a remote code execution (RCE) flaw in Apache ActiveMQ Classic (CVE‑2026‑34197) that has existed for 13 years. The vulnerability allows an attacker to force the broker to fetch a malicious Spring XML file via the Jolokia management API and execute arbitrary system commands.
Why It Matters for TPRM –
- The bug affects widely‑deployed message‑broker software used across enterprise, government, and financial environments.
- Successful exploitation can give attackers command‑level control over critical backend systems, enabling data theft, ransomware deployment, or lateral movement.
- The issue was hidden for over a decade, highlighting the need for continuous third‑party component monitoring and AI‑assisted code‑base analysis.
Who Is Affected – Enterprises that run Apache ActiveMQ Classic (versions < 5.19.4 and 6.0.0‑6.2.3), including SaaS platforms, government agencies, and financial‑services middleware.
Recommended Actions –
- Deploy Apache’s patches (≥ 5.19.4, ≥ 6.2.3) immediately.
- Disable or tightly restrict access to the Jolokia API; enforce authentication and network segmentation.
- Conduct an inventory of all ActiveMQ deployments and verify version compliance.
- Monitor network traffic for unusual broker‑connector requests and anomalous command execution.
Technical Notes – The exploit chain stitches together Jolokia, JMX, network connectors, and VM transports. An unauthenticated path exists on versions 6.0.0‑6.1.1 due to CVE‑2024‑32114. CVSS 8.8 (high). Source: BleepingComputer