Apache ActiveMQ Flaw Affects Over 6,400 Servers Globally

Vaibhav April 21, 2026
Apache-ActiveMQ-Flaw-Affects-Over-6-400-Servers-Globally
Post Views: 4

Apache ActiveMQ Flaw Exposes Thousands of Servers to Ongoing Attacks

A critical code injection vulnerability in Apache ActiveMQ, a widely used open-source messaging broker, has left over 6,400 servers exposed online and vulnerable to ongoing attacks.

According to researchers at Horizon3, the vulnerability stems from an improper input validation weakness that has remained undetected for 13 years.

The issue, tracked as CVE-2026-34197, allows authenticated threat actors to execute arbitrary code on unpatched systems.

Patching and Exposure

The Apache maintainers patched the issue on March 30 in versions 6.2.3 and 5.19.4 of the software.

  • More than 6,400 IP addresses expose Apache ActiveMQ fingerprints online.
  • The majority of these unpatched servers are located in Asia, North America, and Europe.

Government Warning and Guidance

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the actively exploited Apache ActiveMQ vulnerability and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their servers by April 30.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned. “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

Identification and Mitigation

Researchers at Horizon3 have provided guidance on how to identify potential exploitation attempts, including searching the ActiveMQ broker logs for suspicious connections that use the internal transport protocol VM and the brokerConfig=xbean:http:// query parameter.

Organizations running ActiveMQ are advised to treat this issue as a high priority due to the repeated targeting of the software by real-world attackers and well-known methods for exploitation and post-exploitation.

Two additional Apache ActiveMQ vulnerabilities, tracked as CVE-2016-3088 and CVE-2023-46604, were previously identified as being exploited in the wild. The latter was targeted by the TellYouThePass ransomware gang as a zero-day flaw.



About Author

Vaibhav

See author's posts

More Stories

Cisco-Catalyst-SD-WAN-Manager-Bug-Exploited-New-CVE-Identified

Cisco Catalyst SD-WAN Manager Bug Exploited, New CVE Identified

Vaibhav April 21, 2026
Securely-Collecting-Threat-Intelligence-Without-Compromising-Your-Identity-or-Infrastructure

Securely Collecting Threat Intelligence Without Compromising Your Identity or Infrastructure

Vaibhav April 21, 2026
Critical-Cisco-Kentico-and-Zimbra-Vulnerabilities-Exposed-for-Organizations

Critical Cisco, Kentico, and Zimbra Vulnerabilities Exposed for Organizations

Vaibhav April 21, 2026

Latest Cyber Security News

GreyNoise Discovers Surge in Attacker Activity Before Vulnerability Disclosures

Vaibhav April 21, 2026
Cisco-Catalyst-SD-WAN-Manager-Bug-Exploited-New-CVE-Identified

Cisco Catalyst SD-WAN Manager Bug Exploited, New CVE Identified

Vaibhav April 21, 2026
Beware-of-Scammers-Using-Fake-APK-Links-to-Steal-from-PM-KISAN-Beneficiaries

Beware of Scammers Using Fake APK Links to Steal from PM-KISAN Beneficiaries

Vaibhav April 21, 2026
Apache-ActiveMQ-Flaw-Affects-Over-6-400-Servers-Globally

Apache ActiveMQ Flaw Affects Over 6,400 Servers Globally

Vaibhav April 21, 2026
Securely-Collecting-Threat-Intelligence-Without-Compromising-Your-Identity-or-Infrastructure

Securely Collecting Threat Intelligence Without Compromising Your Identity or Infrastructure

Vaibhav April 21, 2026
en_USEnglish
en_USEnglish