A high-severity Apache ActiveMQ flaw — tracked as CVE-2026-34197 — is now being actively exploited, and CISA has added it to its Known Exploited Vulnerabilities catalogue. The bug lets an attacker abuse ActiveMQ’s Jolokia management API to pull down a remote configuration file and run arbitrary commands on the broker host. As reported by BleepingComputer, FortiGuard Labs has already observed dozens of in-the-wild exploitation attempts, peaking on 14 April.

If your business runs ActiveMQ for message queuing — and plenty of Australian organisations do, often buried inside ERP, logistics, or custom integration stacks — this one matters. A successful exploit gives an attacker code execution on the broker, which is typically a privileged machine sitting deep inside your network. That’s a classic pivot point for ransomware operators and data-theft crews. The patch has been available since late March, but the exploitation surge is happening right now against servers that haven’t been updated.

The fix is straightforward: upgrade Apache ActiveMQ Classic to version 5.19.4 or 6.2.3. If you can’t patch immediately, restrict access to the Jolokia endpoint and block inbound traffic to ActiveMQ’s management ports at the firewall. Check your logs for unexpected outbound connections from the broker — a compromised ActiveMQ often phones home before anything more obvious happens. If you’re not sure whether you’re running ActiveMQ anywhere in your environment, it’s worth asking your IT provider to do a quick audit of internal services.

If you’d like us to review your patch posture or lock down management interfaces across your network, our cybersecurity team can take a look.