Apache ActiveMQ Critical RCE Flaw CVE-2026-34197 Under Active Exploitation — Patch Now

CISA and multiple security vendors have issued urgent alerts about active exploitation of CVE-2026-34197, a critical remote code execution vulnerability in Apache ActiveMQ 5.x and 6.x. Attackers are using the flaw to deploy ransomware and cryptominers across enterprise environments.

Vulnerability Details

• CVE: CVE-2026-34197
• CVSS Score: 10.0 (Critical)
• Affected versions: Apache ActiveMQ 5.15.0 through 5.18.3, 6.0.0 through 6.1.1
• Attack type: Unauthenticated remote code execution via OpenWire protocol (port 61616)
• Patched version: ActiveMQ 5.18.4 and 6.1.2

Who Is Affected

Apache ActiveMQ is widely used as a message broker in enterprise Java applications. Organizations running ActiveMQ as part of their microservices infrastructure, CI/CD pipelines, or financial processing systems are at high risk.

Check If You Are Vulnerable

# Check ActiveMQ version
activemq version
# Or check the JAR file
find / -name "activemq-*.jar" 2>/dev/null | xargs -I{} sh -c 'echo {} && unzip -p {} META-INF/MANIFEST.MF | grep Implementation-Version'

# Check if port 61616 is exposed
netstat -tlnp | grep 61616
ss -tlnp | grep 61616

# Check from external (if your IP is allowed)
nmap -p 61616 your-server-ip

Patching ActiveMQ

# Download patched version
wget https://downloads.apache.org/activemq/5.18.4/apache-activemq-5.18.4-bin.tar.gz

# Verify signature
wget https://downloads.apache.org/activemq/5.18.4/apache-activemq-5.18.4-bin.tar.gz.sha512
sha512sum -c apache-activemq-5.18.4-bin.tar.gz.sha512

# Stop current instance
./bin/activemq stop

# Backup config and data
cp -r conf/ conf.bak/
cp -r data/ data.bak/

# Extract and start new version
tar xzf apache-activemq-5.18.4-bin.tar.gz
./bin/activemq start

Emergency Mitigations

# Block port 61616 from internet-facing interfaces
iptables -A INPUT -p tcp --dport 61616 -s 0.0.0.0/0 -j DROP
iptables -A INPUT -p tcp --dport 61616 -s 10.0.0.0/8 -j ACCEPT  # Allow internal only

# Disable OpenWire protocol if not needed
# In activemq.xml, remove or comment out:
# 

# Enable authentication if not already enabled
# In activemq.xml, ensure:
# ...

The SudoFlare Takeaway

A CVSS 10.0 unauthenticated RCE in a widely-deployed message broker is as bad as it gets. Patch immediately, and audit your network to ensure ActiveMQ’s management console (port 8161) and OpenWire connector (port 61616) are never exposed to the internet. Message brokers should always sit behind a VPN or on internal networks only.