POC Published for Remote Code Execution in Apache ActiveMQ

Threat summary

On April 7, 2026, researchers published technical details and proof-of-concept (POC) for a exploit demonstrating remote code execution chain for Apache ActiveMQ Classic. The issue, tracked as CVE202634197, affects ActiveMQ Classic, the original implementation first released in 2004, and does not affect the newer ActiveMQ Artemis branch. Apache Software Foundation addressed CVE202634197 in ActiveMQ Classic versions 5.19.4 and 6.2.3, released for supported branches on March 30 and March 31, 2026.

Apache ActiveMQ is an opensource message broker written in Java that provides asynchronous messaging, queuing, and publish subscribe capabilities. It is commonly deployed as middleware in enterprise, government, financial services, healthcare, and cloud environments to decouple applications and transport data between systems.

The vulnerability is caused by overly permissive access to management operations exposed through the Jolokia Java Management Extensions (JMX) HTTP interface, typically available via the ActiveMQ web console on port 8161. Jolokia allows remote management operations over Hypertext Transfer Protocol (HTTP). Due to overly permissive default access controls introduced during a prior security fix, authenticated users can invoke management methods that were never intended to accept untrusted input.

In most deployments, exploitation requires valid Jolokia credentials. However, ActiveMQ versions 6.0.0 through 6.1.1 are also affected by another flaw, CVE202432114, which removed authentication constraints from the /api/* path. In those environments, CVE202634197 becomes an unauthenticated remote code execution vulnerability.

CVE202634197 was assigned a Common Vulnerability Scoring System (CVSS) v3.1 base score of 8.8 (High). The vulnerability is network exploitable, requires low privileges, and does not require user interaction. Successful exploitation provides full code execution in the context of the ActiveMQ broker process, enabling data theft, message manipulation, lateral movement, and potential domain compromise in environments where the broker has elevated trust or connectivity.

From a defensive perspective, this vulnerability is notable because ActiveMQ has a documented history of being targeted by threat actors. Prior ActiveMQ remote code execution flaws, including CVE20163088 and CVE202346604, were added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities catalog. This history increases the likelihood that this current exploit will attract adversary attention, particularly in environments where management interfaces are exposed or protected by default credentials.

Analysis

Upgrading to a fixed version removes the vulnerable execution path by restricting management operations and validating transport configuration inputs. Organizations running versions earlier than 5.19.4 or between 6.0.0 and 6.2.2 are affected.

Limiting network access to the ActiveMQ web console and Jolokia endpoint would help reduce exposure to this exploit.

Additional risk reduction steps include disabling Jolokia where it is not operationally required, enforcing non-default administrative credentials, and reviewing broker logs for unexpected connector creation or outbound configuration retrieval activity.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up