A critical remote code execution vulnerability that remained dormant for over a decade has been added to the federal list of known exploited threats. This flaw allows unauthenticated attackers to gain full command execution on legacy message brokers that serve as the backbone for enterprise application communication.
Tracked as CVE-2026-34197‚ the vulnerability involves improper input validation in Apache ActiveMQ Classic. Attackers are currently exploiting this flaw by sending crafted packets to exposed Jolokia management APIs to load malicious external configurations. CISA added this to the KEV catalog on April 16 after observing its use in automated campaigns targeting unpatched middleware in the energy and finance sectors.
Infrastructure that is perceived as stable often escapes the rigorous patch cycles applied to newer cloud-native services. This 13-year-old backdoor serves as an operational reminder that “set-and-forget” legacy systems are high-value pivot points for attackers seeking unauthenticated root access to internal data flows.
– Update Apache ActiveMQ Classic to version 5.19.4 or 6.2.3 and higher immediately across all environments.
– Disable the Jolokia management API if it is not strictly required for production monitoring.
– Restrict all broker management ports to an isolated‚ internal administrative network segment.
– Audit broker logs for anomalous requests to the /api/jolokia endpoint originating from unauthorized IP ranges.
Legacy middleware remains a strategic target for adversaries because it often lacks modern endpoint telemetry and remains invisible to standard perimeter scans.
#CodeDefence #ActiveMQ #CISA #LegacyIT
/
