A critical remote code execution (RCE) vulnerability has been discovered in Apache ActiveMQ Classic, existing undetected for 13 years. The flaw, identified as CVE-2026-34197, can be combined with a prior vulnerability to bypass authentication, cybersecurity firm Horizon3.ai reports.
Apache ActiveMQ’s Role and Vulnerability
Apache ActiveMQ is a widely-used open-source messaging server that facilitates message handling and integration across various industries. The classic version, known as ActiveMQ Classic, serves as the original broker version. The latest vulnerability allows attackers to exploit management operations via the Jolokia API, leading the broker to execute operating system commands from a remote configuration file.
This security defect acts as a bypass for CVE-2022-41678, which enables attackers to deploy webshells on disk through specific JDK MBeans. A patch introduced a flag that permits all ActiveMQ MBeans operations to be triggered using Jolokia, with the RCE issue emerging in broker-to-broker bridge operations.
Exploitation Methodology
To exploit this bug, attackers would need to target ActiveMQ’s VM transport feature, designed to embed a broker within an application. This allows direct communication between the client and broker in the same JVM. If the VM transport URI points to a non-existent broker, ActiveMQ will create one and possibly load a configuration containing attacker-provided URLs.
By leveraging these elements, an attacker could coerce the broker into executing a Spring XML configuration file, thereby enabling remote code execution. The cybersecurity firm notes that in some cases, RCE can occur without authentication by exploiting CVE-2024-32114, which leaves the Jolokia API exposed to unauthenticated users in ActiveMQ 6.x versions.
Security Measures and Recommendations
CVE-2024-32114 pertains to a vulnerability where the /api/* path, encompassing the Jolokia endpoint, was mistakenly omitted from the security constraints of the web console. This oversight results in complete unauthenticated access on ActiveMQ versions 6.0.0 to 6.1.1.
The security flaw has been mitigated in ActiveMQ Classic versions 5.19.4 and 6.2.3. Users are strongly encouraged to update their systems promptly to safeguard against potential exploits.
In related cybersecurity developments, hackers are targeting vulnerabilities in Ninja Forms, posing risks to WordPress sites, and Anthropic has introduced the ‘Claude Mythos’ breakthrough, which has implications for cyber defense and attack strategies. Additionally, a critical vulnerability in Flowise and a severe flaw in Android’s StrongBox have recently been patched.
