13-year-old Apache ActiveMQ RCE vulnerability discovered, AI assisted in finding exploit

As outlined in Bleeping Computer, a critical remote code execution (RCE) vulnerability, CVE-2026-34197, has been discovered in Apache ActiveMQ Classic. This flaw remained undetected for 13 years and allows attackers to execute arbitrary commands on affected systems.

The vulnerability, with a severity score of 8.8, affects multiple versions of Apache ActiveMQ/Broker. It stems from the Jolokia management API exposing a broker function that can be abused to load external configurations. Attackers can send a crafted request to force the broker to fetch a remote Spring XML file and execute arbitrary commands during initialization. While authentication is typically required, a separate bug (CVE-2024-32114) makes the API unauthenticated in versions 6.0.0 through 6.1.1. The discovery was notably aided by the Claude AI assistant, which helped researchers identify the exploit path by analyzing component interactions.

Given ActiveMQ's widespread use in enterprise, government, and web backend systems, and its history as a target for real-world attacks, organizations are urged to treat this vulnerability as a high priority. The potential for exploitation, especially with the added unauthenticated access in certain versions, poses a significant risk. While not yet reported as actively exploited, signs in broker logs suggest potential reconnaissance. Prompt patching to versions 5.19.4 or 6.2.3 and above is recommended.

Source: Bleeping Computer