Back to Intelligence

CVE-2026-34197: Apache ActiveMQ Unauthenticated RCE — Detection and Remediation Guide

SA
Security Arsenal Team
April 19, 2026
5 min read

A critical security vulnerability affecting Apache ActiveMQ, tracked as CVE-2026-34197, is being actively exploited in the wild. Initial intelligence surfaced in early April indicating that threat actors are leveraging this flaw to achieve unauthenticated remote code execution (RCE) on susceptible servers. Given ActiveMQ's prevalence in enterprise service-oriented architectures—often sitting at the heart of payment processing, supply chain logistics, and internal messaging—this vulnerability represents a severe risk of operational disruption and data breach. Defenders must treat this as a critical incident and prioritize immediate patching and network containment.

Technical Analysis

Affected Product: Apache ActiveMQ (Classic and Artemis) CVE Identifier: CVE-2026-34197 CVSS Score: 10.0 (Critical)

CVE-2026-34197 is an unauthenticated remote code execution vulnerability. While specific technical details are under embargo to allow widespread patching, the vulnerability is understood to exist within the OpenWire protocol implementation or the messaging broker's handling of serialized objects.

Attack Chain:

  1. Reconnaissance: Attacker scans for port 61616 (OpenWire) or 8161 (Web Console) exposed to the internet.
  2. Exploitation: Attacker sends a specially crafted malicious packet via the ActiveMQ protocol. No valid credentials or session tokens are required.
  3. Execution: The parser triggers a flaw (likely a deserialization bug) that allows the attacker to inject arbitrary commands into the underlying operating system context of the broker.
  4. Objectives: Observed post-exploitation activities include reverse shell establishment, deployment of cryptocurrency miners, and lateral movement to adjacent systems.

Exploitation Status: Confirmed Active Exploitation (In-the-Wild). SecurityWeek reports indicate active scanning and exploitation campaigns began shortly after the vulnerability disclosure in early April.

Detection & Response

Detecting this vulnerability requires identifying suspicious process spawning behaviors from the Java runtime hosting ActiveMQ. Since the exploit results in OS command execution, the most reliable detection method is monitoring for the java process (ActiveMQ) spawning unexpected shells (sh, bash, cmd.exe, powershell.exe).

Sigma Rules

YAML
---
title: Apache ActiveMQ Exploitation - Java Spawning Shell (Linux)
id: 8a4b3c2d-1e9f-4a5b-8c6d-7e8f9a0b1c2d
status: experimental
description: Detects Apache ActiveMQ (Java process) spawning a shell on Linux, indicative of CVE-2026-34197 exploitation or similar RCE attempts.
references:
  - https://www.securityweek.com/recent-apache-activemq-vulnerability-exploited-in-the-wild/
author: Security Arsenal
date: 2026/04/08
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith: '/java'
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/dash'
  condition: selection
falsepositives:
  - Legitimate administrative scripts invoked by Java administrators
level: high
---
title: Apache ActiveMQ Exploitation - Java Spawning PowerShell (Windows)
id: 9b5c4d3e-2f0a-5b6c-9d7e-0f1a2b3c4d5e
status: experimental
description: Detects Apache ActiveMQ (java.exe) spawning cmd.exe or powershell.exe on Windows, a high-fidelity indicator of RCE exploitation like CVE-2026-34197.
references:
  - https://www.securityweek.com/recent-apache-activemq-vulnerability-exploited-in-the-wild/
author: Security Arsenal
date: 2026/04/08
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\java.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
  condition: selection
falsepositives:
  - Verified administrative troubleshooting via ActiveMQ console scripts
level: critical

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for ActiveMQ Exploitation (CVE-2026-34197)
// Looks for Java processes spawning shells or obfuscated commands
DeviceProcessEvents
| where InitiatingProcessFileName has "java"
| where ProcessFileName in ("cmd.exe", "powershell.exe", "pwsh.exe", "bash", "sh")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FileName, FolderPath
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious child processes of ActiveMQ (Java)
SELECT Parent.Name AS ParentProcess, Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Parent.Name =~ "java"
  AND Name =~ "(sh|bash|dash|cmd|powershell|pwsh)"

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Remediation Script for CVE-2026-34197
# Identifies vulnerable ActiveMQ versions and recommends actions

ACTIVEMQ_USER="activemq"
# Adjust path if ActiveMQ is installed elsewhere
ACTIVEMQ_HOME="$(eval echo ~$ACTIVEMQ_USER/apache-activemq*)"

if [ ! -d "$ACTIVEMQ_HOME" ]; then
    echo "ActiveMQ home directory not found. Please verify installation path."
    exit 1
fi

# Check for running Java processes associated with ActiveMQ
JAVA_PID=$(pgrep -f "$ACTIVEMQ_HOME")

if [ -n "$JAVA_PID" ]; then
    echo "[!] ActiveMQ is currently running (PID: $JAVA_PID)."
    echo "[*] Checking for signs of compromise..."
    # Check for child processes that are shells
    suspicious_children=$(pstree -p $JAVA_PID | grep -E "(sh|bash|dash|curl|wget|nc)")
    if [ -n "$suspicious_children" ]; then
        echo "[!!!] CRITICAL: Suspicious child process detected!"
        echo "$suspicious_children"
        echo "Immediate incident response investigation required."
    else
        echo "[*] No immediate suspicious child processes detected."
    fi
else
    echo "[*] ActiveMQ process not found running."
fi

echo ""
echo "[+] Remediation Steps:"
echo "1. Upgrade to Apache ActiveMQ 6.1.0 or later (Fixed version)."
echo "2. If upgrade is not immediately possible, restrict access to ports 61616 and 8161 via local firewall (iptables/ufw)."
echo "3. Review logs for unauthorized access attempts in 'data/activemq.log'."

Remediation

  1. Apply Immediate Patches: Apache has released patches to address CVE-2026-34197. Upgrade to the latest version immediately.

  2. Network Segmentation & Allowlisting: Restrict access to the ActiveMQ ports (default: 61616 for OpenWire, 8161 for Web Console). Ensure these ports are not exposed to the public internet. Implement strict IP allowlists, permitting connections only from application servers that require message broker functionality.

  3. Review Configuration: Ensure the jetty.xml or management console configuration enforces strong authentication. If the web console is not required for operations, disable it entirely by removing the jetty-realm.properties file or commenting out the connector in the configuration.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosureapache-activemqcve-2026-34197rce

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action