Apache ActiveMQ Broker RCE via Jolokia JMX Bridge

/HIGH
SCW vulnerabilitycvethreat-intel
Apache ActiveMQ Broker RCE via Jolokia JMX Bridge

CVE Notify is flagging a critical vulnerability, CVE-2026-34197, impacting Apache ActiveMQ Classic. This flaw hinges on the Jolokia JMX-HTTP bridge, exposed by default on the web console’s /api/jolokia/ endpoint. The default configuration for Jolokia allows exec operations on all ActiveMQ MBeans, including sensitive ones like BrokerService.addNetworkConnector and BrokerService.addConnector.

An authenticated attacker can leverage this by sending a specially crafted discovery URI. This URI tricks the VM transport’s brokerConfig parameter into loading a remote Spring XML application context. The kicker? Spring’s ResourceXmlApplicationContext initializes all singleton beans before the ActiveMQ Broker can validate the configuration. This provides a golden opportunity for arbitrary code execution within the broker’s JVM, often through built-in bean factory methods like Runtime.exec().

This vulnerability affects Apache ActiveMQ Broker versions prior to 5.19.4 and versions from 6.0.0 up to, but not including, 6.2.3. CVE Notify strongly advises upgrading to either 5.19.4 or 6.2.3 to patch this significant security hole.

What This Means For You

  • Organizations running Apache ActiveMQ Classic must immediately audit their configurations for exposed Jolokia endpoints and ensure they are running patched versions (5.19.4+ or 6.2.3+), as this RCE can be triggered by an authenticated attacker.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.001 PowerShell Execution T1204.002 Malicious File Execution

Indicators of Compromise

IDTypeIndicator
CVE-2026-34197 Code Injection Apache ActiveMQ Broker and Apache ActiveMQ Classic, versions before 5.19.4 and from 6.0.0 before 6.2.3. Vulnerable component: Jolokia JMX-HTTP bridge at /api/jolokia/. Exploitation involves invoking BrokerService.addNetworkConnector(String) or BrokerService.addConnector(String) via crafted discovery URI to load remote Spring XML application context, leading to arbitrary code execution via Runtime.exec().
CVE-2026-34197 Misconfiguration Apache ActiveMQ Broker and Apache ActiveMQ Classic, versions before 5.19.4 and from 6.0.0 before 6.2.3. Default Jolokia access policy permits 'exec' operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String), enabling exploitation.
CVE-2026-34197 RCE Apache ActiveMQ Broker and Apache ActiveMQ Classic, versions before 5.19.4 and from 6.0.0 before 6.2.3. Exploitation via Jolokia JMX-HTTP bridge (/api/jolokia/) using ResourceXmlApplicationContext to load remote Spring XML, triggering bean factory methods like Runtime.exec() on the broker's JVM.

By Shimi's Cyber World Editorial

🛠 Recommended Tools

NordVPN Protect your research traffic. Threat protection included.
Our Pick
Proton VPN Secure Core routes traffic through Switzerland, Iceland, and Sweden first.
Recommended
Surfshark Unlimited devices for your security lab. VPN + malware blocker.
Great Value
🛡️
Want the IOCs from this threat? Get structured IOC exports and weekly threat briefs — delivered instantly to your Telegram.
Get My Intel →

Found this interesting? Follow us to stay ahead.

Telegram Channel Follow Shimi Cohen Follow Shimi's Cyber World
Share
LinkedIn WhatsApp Reddit