A critical remote code execution vulnerability that remained dormant for over a decade has been added to the federal list of known exploited threats. This flaw allows unauthenticated attackers to gain full command execution on legacy message brokers that serve as the backbone for internal application communication.
Tracked as CVE-2026-34197‚ the vulnerability involves improper input validation in the Jolokia management API of Apache ActiveMQ Classic. Attackers are currently exploiting this flaw by sending crafted POST requests to load malicious external Spring XML configurations. CISA added this to the KEV catalog on April 16 after observing its use in automated campaigns targeting unpatched middleware in the finance and healthcare sectors.
Infrastructure that is perceived as stable often escapes the rigorous patch cycles applied to newer cloud-native services. This 13-year-old backdoor serves as an operational reminder that legacy systems are high-value pivot points for attackers seeking unauthenticated root access to internal data flows and inter-service messaging.
– Update Apache ActiveMQ Classic to version 5.19.4 or 6.2.3 and higher immediately across all environments.
– Disable the Jolokia management API endpoint entirely if JMX-over-HTTP functionality is not required.
– Place the ActiveMQ web console behind a reverse proxy with strict authentication and IP whitelisting.
– Audit broker logs for anomalous requests to the /api/jolokia/ endpoint originating from unauthorized IP ranges.
Legacy middleware remains a strategic target for adversaries because it often lacks modern endpoint telemetry and remains invisible to standard perimeter scans. #CodeDefence #ActiveMQ #CISA #LegacyIT
/
