CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Unauthenticated RCE Vulnerability in Apache ActiveMQ Classic via Jolokia API (CVE-2026-34197)

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

CVE-2026-34197, an unauthenticated RCE vulnerability in Apache ActiveMQ Classic via the Jolokia API, remains actively exploited with at least 6,400 exposed servers vulnerable. The flaw affects versions prior to 5.19.4 and 6.0.0 to 6.2.3, with patched releases issued on March 30, 2026. Discovered by Horizon3’s Naveen Sunkavally using AI assistance, the vulnerability chain enables attackers to execute arbitrary OS commands by abusing the Jolokia API’s addNetworkConnector function. CISA added the flaw to its Known Exploited Vulnerabilities Catalog on April 16, 2026, and ordered FCEB agencies to remediate by April 30, 2026 under BOD 22-01. Exploitation indicators include broker logs showing vm:// transport connections with brokerConfig=xbean:http:// query parameters and configuration warnings. Shadowserver reports over 7,500 exposed ActiveMQ servers, with recent data showing 6,400 still vulnerable, concentrated in Asia, North America, and Europe.

Timeline

  1. 08.04.2026 12:15 4 articles · 14d ago

    Unauthenticated RCE in Apache ActiveMQ Classic via Jolokia API (CVE-2026-34197) identified

    CISA confirmed active exploitation of CVE-2026-34197 and added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on April 16, 2026. CISA ordered Federal Civilian Executive Branch (FCEB) agencies to patch ActiveMQ servers by April 30, 2026 under Binding Operational Directive (BOD) 22-01. Horizon3’s Naveen Sunkavally reported the flaw to Apache on March 22, 2026, and it was patched on March 30, 2026 in versions 5.19.4 and 6.2.3. The vulnerability stems from abuse of the Jolokia management API’s addNetworkConnector function, enabling attackers to force the broker to fetch remote Spring XML files and execute arbitrary system commands during initialization. Exploitation indicators include ActiveMQ broker logs showing internal VM transport connections with brokerConfig=xbean:http:// query parameters and warnings about configuration problems indicating payload execution. The issue requires authentication via Jolokia in most versions but becomes unauthenticated in versions 6.0.0 through 6.1.1 due to CVE-2024-32114. ShadowServer initially reported more than 7,500 Apache ActiveMQ servers exposed online as of April 2026. New data on April 21, 2026 indicates over 6,400 exposed servers remain vulnerable to ongoing attacks, with geographic distribution showing 2,925 in Asia, 1,409 in North America, and 1,334 in Europe. CISA reiterated the active exploitation warning and remediation deadlines for FCEB agencies under BOD 22-01.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active exploitation of Citrix NetScaler ADC/Gateway memory disclosure vulnerability (CVE-2026-3055)

A critical out-of-bounds read vulnerability in Citrix NetScaler ADC and NetScaler Gateway, tracked as CVE-2026-3055, is being actively exploited in the wild to leak sensitive information and extract administrative session IDs from appliance memory, enabling potential full appliance takeover. Citrix disclosed the flaw on March 23, 2026, alongside a high-severity race condition flaw, affecting versions before 14.1-60.58, 13.1-62.23, and those older than 13.1-37.262. The vulnerability requires appliances to be configured as SAML Identity Providers and impacts only customer-managed systems. Exploitation was confirmed via honeypot networks on March 27, with attackers leveraging both /saml/login and /wsfed/passive endpoints to trigger memory overread conditions. Security researchers criticize Citrix’s disclosure as incomplete and provide tools to detect vulnerable hosts. On March 30, 2026, CISA added CVE-2026-3055 to its Known Exploited Vulnerabilities (KEV) Catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to patch vulnerable Citrix appliances by April 2, 2026 under BOD 22-01. CISA warned the flaw poses significant risks to the federal enterprise and urged all organizations to prioritize patching. Shadowserver reports nearly 30,000 exposed NetScaler ADC appliances and over 2,300 exposed Gateway instances online.

Open in new tab

Active exploitation of F5 BIG-IP RCE vulnerability CVE-2025-53521

CVE-2025-53521, initially disclosed as a DoS flaw in October 2025, has been reclassified as a critical RCE vulnerability (CVSS 9.8) following new exploitation activity in March 2026. Threat actors are actively exploiting the flaw by sending malicious traffic to virtual servers configured with BIG-IP AMP or systems in appliance mode to deploy webshells and other payloads. F5 has confirmed exploitation in the wild and published IOCs, while CISA added the flaw to its KEV catalog on March 28, 2026, mandating federal remediation within three days. Multiple actors are probing F5 infrastructure, with observed payload deviations and scanning targeting REST API endpoints. Shadowserver tracks over 240,000 exposed BIG-IP instances, and the NCSC has urged immediate patching in the UK due to confirmed exploitation activity. The flaw affects BIG-IP APM versions 15.1.0–15.1.10, 16.1.0–16.1.6, 17.1.0–17.1.2, and 17.5.0–17.5.1. Fixed versions (15.1.10.8, 16.1.6.1, 17.1.3, 17.5.1.3) are available, and F5 recommends forensic best practices including system rebuilding due to potential persistent malware in UCS backups.

Open in new tab

Critical Pre-Auth RCE Vulnerability in BeyondTrust Remote Support and PRA

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. Threat actors have been observed exploiting CVE-2026-1731 to conduct network reconnaissance, deploy web shells, establish command-and-control (C2) channels, install backdoors and remote management tools, perform lateral movement, and exfiltrate data. The attacks have targeted financial services, legal services, high technology, higher education, wholesale and retail, and healthcare sectors across the U.S., France, Germany, Australia, and Canada. The vulnerability enables attackers to inject and execute arbitrary shell commands via the affected 'thin-scc-wrapper' script through the WebSocket interface. Attackers have deployed multiple web shells, including a PHP backdoor and a bash dropper, to maintain persistent access. Malware such as VShell and Spark RAT have been deployed as part of the exploitation. Out-of-band application security testing (OAST) techniques have been used to validate successful code execution and fingerprint compromised systems. Sensitive data, including configuration files, internal system databases, and a full PostgreSQL dump, have been exfiltrated to an external server. CVE-2026-1731 and CVE-2024-12356 share a common issue with input validation within distinct execution pathways. CVE-2026-1731 could be a target for sophisticated threat actors, similar to CVE-2024-12356 which was exploited by China-nexus threat actors like Silk Typhoon. CISA has confirmed that CVE-2026-1731 has been exploited in ransomware campaigns. CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog on February 13 and gave federal agencies three days to apply the patch or stop using the product. Proof-of-concept (PoC) exploits for CVE-2026-1731 became available shortly after the initial disclosure, and exploitation was detected on January 31, making it a zero-day vulnerability for at least a week. CISA has activated the 'Known To Be Used in Ransomware Campaigns?' indicator in the KEV catalog for CVE-2026-1731. Customers of the cloud-based application (SaaS) had the patch applied automatically on February 2. Self-hosted instance customers need to either enable automatic updates or manually install the patch. For Remote Support, the recommended version is 25.3.2. For Privileged Remote Access, the recommended version is 25.1.1 or newer. Customers still using RS v21.3 and PRA v22.1 are recommended to upgrade to a newer version before applying the patch.

Open in new tab

Critical RCE Flaw in Trend Micro Apex Central On-Prem Windows

Trend Micro has addressed critical vulnerabilities in on-premise Windows versions of Apex Central, including a remote code execution (RCE) flaw (CVE-2025-69258) with a CVSS score of 9.8. The flaw allows unauthenticated remote attackers to execute arbitrary code under SYSTEM context. Two additional flaws (CVE-2025-69259, CVE-2025-69260) with CVSS scores of 7.5 each can cause denial-of-service conditions. The vulnerabilities affect versions below Build 7190 and require physical or remote access to exploit. Apex Central is a web-based management console that helps admins manage multiple Trend Micro products and services, including antivirus, content security, and threat detection. Trend Micro has released Critical Patch Build 7190 to address these vulnerabilities.

Open in new tab

Critical Authentication Bypass Vulnerability in IBM API Connect

IBM has disclosed a critical authentication bypass vulnerability (CVE-2025-13915) in its API Connect platform, affecting versions 10.0.11.0 and 10.0.8.0 through 10.0.8.5. This flaw, rated 9.8/10 in severity, allows remote attackers to bypass authentication and gain unauthorized access to applications. IBM urges customers to upgrade to the latest version and provides mitigation steps for those unable to patch immediately. The vulnerability is particularly concerning due to its low attack complexity and lack of requirement for user interaction. It impacts API Connect deployments in on-premises, cloud, and hybrid environments, used by organizations in sectors like banking, healthcare, and telecommunications. There is no evidence of the vulnerability being exploited in the wild.

Open in new tab