A critical vulnerability hidden for over a decade has been uncovered in Apache ActiveMQ Classic, exposing organizations to potential remote code execution (RCE) attacks. The flaw, tracked as CVE-2026-34197, highlights how long-standing weaknesses in widely used infrastructure can remain undetected—and exploitable—for years.
Apache ActiveMQ is a core messaging and integration platform used across industries to manage data flow between applications. The newly discovered issue allows attackers to abuse the platform’s Jolokia API, a management interface, to execute malicious commands on the host system. By manipulating how the broker loads configurations, attackers can trick it into fetching and executing a malicious remote file, ultimately leading to full system compromise.
On its own, the vulnerability requires authentication, which limits immediate risk. However, the real danger emerges when it is chained with other flaws. Researchers from Horizon3.ai found that this bug can bypass protections introduced in an earlier vulnerability (CVE-2022-41678), effectively reopening an attack path that was thought to be secured.
Even more concerning is the interaction with another vulnerability, CVE-2024-32114, which exposes the Jolokia API without authentication in certain versions of ActiveMQ. When combined, these flaws allow attackers to bypass authentication entirely and achieve remote code execution, significantly increasing the severity of the threat.
The attack technique leverages ActiveMQ’s VM transport feature, which is designed to enable communication within the same Java Virtual Machine (JVM). If a referenced broker does not exist, the system automatically creates one and can be manipulated to load attacker-controlled configurations. This behavior allows malicious Spring XML files to be executed, triggering arbitrary code execution on the system.
This discovery underscores the risks of complex, feature-rich systems where multiple components interact. Even if individual vulnerabilities appear limited, chaining them together can create critical attack paths that are far more dangerous than each flaw alone.
The vulnerability has now been patched in ActiveMQ Classic versions 5.19.4 and 6.2.3. Organizations using affected versions are strongly advised to update immediately and review their configurations, particularly around API exposure and authentication controls.
Ultimately, this case serves as a reminder that legacy vulnerabilities can persist undetected for years, and that layered security—along with regular updates and audits—is essential to preventing exploitation.
Recommended Cyber Technology News:
- Cynomi Launches GTM Academy To Boost MSP Cyber Revenue
- OmniTrust and Synopsys Advance Embedded Security Testing
- NuHarbor Security and Right Systems Partner To Expand Cybersecurity
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
