CISA Tells Feds to Patch 13-Year-Old Apache ActiveMQ Bug Under Active Attack

Apache ActiveMQ powers millions of enterprise integrations, shuttling messages between microservices, IoT devices, and legacy systems. Its open‑source nature accelerates adoption but also means vulnerabilities can linger unnoticed for years, as demonstrated by CVE‑2026‑34197—a remote code execution flaw hidden for 13 years. The exploit leverages the Jolokia management API, and because many installations ship with default credentials, attackers can quickly gain execution rights. The discovery, aided by AI‑driven code analysis, underscores how modern tooling can surface ancient bugs that pose contemporary threats.

CISA’s inclusion of the ActiveMQ flaw on the KEV catalog signals a shift from advisory to mandatory remediation for federal agencies. The Binding Operational Directive 22‑01 imposes a two‑week deadline, compelling agencies to update to ActiveMQ 5.19.5 or 6.2.3 or document risk acceptance. This rapid timeline reflects the agency’s intent to curb active exploitation, especially given ShadowServer’s observation of more than 8,000 internet‑exposed instances. The directive also serves as a bellwether for the private sector, where similar compliance pressures may emerge as supply‑chain risk assessments tighten.

Organizations should treat the ActiveMQ issue as a catalyst for broader vulnerability‑management hygiene. Immediate steps include deploying the official patches, rotating default credentials, and restricting Jolokia API access through network segmentation or authentication hardening. Continuous scanning for exposed brokers, coupled with threat‑intel feeds on KEV listings, can help detect lingering exposures. As attackers increasingly chain older flaws—such as CVE‑2024‑32114—to achieve unauthenticated RCE, a proactive, layered defense becomes essential to safeguard both government operations and the wider digital ecosystem.