A critical remote code execution vulnerability has been identified in a legacy management component of Apache ActiveMQ Classic. Automated scanning clusters are currently mapping internet-exposed brokers that have remained unpatched for over 13 years.
CVE-2026-34197 leverages the Jolokia management API to force the broker into loading an external‚ malicious XML configuration. This provides an unauthenticated remote attacker with a path to full command execution on the host system. While newer versions have restricted this behavior‚ thousands of legacy brokers in enterprise application backbones remain vulnerable to this decade-old logic flaw.
Middleware often exists in the “blind spot” of modern security operations because it is rarely updated once integrated into stable application flows. Attackers are prioritizing these legacy backdoors because they offer a reliable path to unauthenticated root access on systems that lack modern endpoint telemetry.
– Update Apache ActiveMQ Classic to version 5.19.4 or 6.2.3 and higher immediately.
– Disable the Jolokia management API if it is not essential for production monitoring or restrict its access to the localhost.
– Restrict all broker management ports to an isolated‚ internal administrative network segment.
– Audit broker logs for anomalous requests to the /api/jolokia endpoint originating from unauthorized network blocks.
Legacy middleware remains the silent backbone of many enterprise breaches due to the “set-and-forget” mentality of infrastructure management. #CodeDefence #ActiveMQ #RCE #LegacyIT
/