Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
CISA warned that attackers are now exploiting a high-severity Apache ActiveMQ vulnerability, which was patched earlier this month after going undetected for 13 years. [...]
What Happened
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity vulnerability in Apache ActiveMQ Classic, tracked as CVE-2026-34197, to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms the flaw is being actively exploited in the wild. The vulnerability, which affects the OpenWire protocol, was patched by Apache earlier this month after remaining undiscovered for approximately 13 years.
Why It Matters
ActiveMQ is a widely used open-source message broker that facilitates communication between enterprise applications. Its deployment in critical integration and backend systems makes it a high-value target. CISA’s KEV designation mandates that all U.S. federal civilian agencies patch this vulnerability by a specified deadline, but it also serves as a critical warning for all enterprises. The combination of a 13-year-old latent bug, its presence in core infrastructure, and confirmed active exploitation creates a widespread and urgent patching imperative for organizations globally.
Technical Details
CVE-2026-34197 is a deserialization of untrusted data vulnerability in the OpenWire protocol marshaller in Apache ActiveMQ Classic. An unauthenticated attacker with network access to a broker can exploit this flaw by sending a specially crafted packet to the OpenWire port (default TCP 61616). Successful exploitation can lead to remote code execution (RCE) on the broker host with the privileges of the ActiveMQ process. This vulnerability is distinct from other recent ActiveMQ issues, such as the ActiveMQ TLSv1.3 memory DoS (CVE-2026-39304). Public proof-of-concept (PoC) exploit code is available, increasing the likelihood of widespread attacks.
Immediate Risk
The risk is critical for any internet-facing or internally accessible ActiveMQ Classic instance running an unpatched version. The KEV entry confirms threat actors are already weaponizing this flaw. Organizations must treat patching as an emergency action. The availability of a PoC lowers the barrier to entry for less sophisticated attackers, potentially leading to ransomware deployment, initial network access, or data theft. Immediate scanning for exposed brokers and application of the Apache-provided patch is the only complete mitigation.
Security Insight
This incident underscores the persistent risk of “vulnerability debt” in foundational, long-lived enterprise software. A flaw lying dormant for over a decade in a core protocol like OpenWire suggests that similar issues may exist in other mature messaging systems or integration backbones. The pattern mirrors historical risks in other ubiquitous protocols, where deep-seated design flaws are later discovered. Defensively, this reinforces the need for robust network segmentation; message brokers should never be directly exposed to untrusted networks. Proactive hunting for anomalous traffic on broker ports (like 61616) is now essential, as exploitation attempts will likely precede full-scale compromise.
Further Reading
Never miss a security update
Get real-time security alerts delivered to your preferred platform.
Related News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitati
Google has released security updates to address 74 vulnerabilities, including one that has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2026-11645 (CVSS