A remote code execution vulnerability in Apache ActiveMQ Classic that remained undetected for 13 years has been discovered using the Claude AI assistant, which analyzed interactions between independent components to identify an exploit path. Tracked as CVE-2026-34197 with a severity score of 8.8, the flaw affects ActiveMQ Classic versions before 5.19.4 and all versions from 6.0.0 up to 6.2.3. The issue stems from ActiveMQ's Jolokia management API exposing a broker function called addNetworkConnector that can be abused to load external configurations.
By sending specially crafted requests, attackers can force the broker to fetch a remote Spring XML file and execute arbitrary system commands during initialization. The vulnerability requires authentication via Jolokia, though versions 6.0.0 through 6.1.1 become unauthenticated due to a separate access control bug tracked as CVE-2024-32114. Horizon3 researcher Naveen Sunkavally reported the issue to Apache maintainers on March 22, with fixes released on March 30 in versions 6.2.3 and 5.19.4.
While not yet confirmed as actively exploited, the researchers note that signs of exploitation are visible in broker logs, recommending administrators look for suspicious connections using the internal VM transport protocol. ActiveMQ has been a repeated target for real-world attackers, with previous CVEs appearing on CISA's Known Exploited Vulnerabilities list. Horizon3 urges organizations running ActiveMQ to prioritize patching given the well-known exploitation methods for this platform.
Read more...