A critical remote code execution (RCE) vulnerability has been disclosed in Apache ActiveMQ Classic<\/a>, a flaw that sat undetected for over a decade and was ultimately discovered not by a human researcher manually combing through code, but by Anthropic\u2019s Claude AI model in under 10 minutes.<\/p>\n Tracked as CVE-2026-34197, the flaw is an improper input validation and code injection vulnerability residing in Apache ActiveMQ Classic\u2019s Jolokia JMX-HTTP bridge, exposed via the web console at The vulnerability allows an authenticated attacker to call the When processed, ActiveMQ\u2019s VM transport layer creates an on-the-fly embedded broker by calling The The root cause traces back to a remediation for CVE-2022-41678, where Apache added a blanket Jolokia allow rule for all operations on ActiveMQ\u2019s own MBeans ( While CVE-2026-34197 requires valid credentials in most deployments, default credentials ( More critically, organizations running ActiveMQ versions 6.0.0 through 6.1.1 are exposed to a fully unauthenticated RCE path. A separate flaw, CVE-2024-32114, inadvertently stripped authentication constraints from the ActiveMQ has a well-documented history of being targeted in the wild. Both CVE-2016-3088 (authenticated RCE via the web console) and CVE-2023-46604 (unauthenticated RCE via the broker port) are listed on CISA\u2019s Known Exploited Vulnerabilities (KEV) catalog.<\/p>\n Researchers at Horizon3.ai credited<\/a> Anthropic\u2019s Claude AI with identifying the flaw during an AI-assisted source code review. By providing Claude with a lightweight vulnerability-hunting prompt and a live target for validation, the team enabled the AI to trace the multi-component attack chain spanning Jolokia, JMX, network connectors, and VM transports in approximately 10 minutes.<\/p>\n Analysts noted this chain would likely have taken a skilled human researcher an entire week to map manually, underscoring how AI models are fundamentally lowering the barrier for vulnerability research.<\/p>\n Organizations should monitor ActiveMQ broker logs for entries referencing The vulnerability is patched in ActiveMQ Classic versions 5.19.4 and 6.2.3. The fix removes the ability for All organizations running affected versions should update immediately and audit deployments for default credential usage across all ActiveMQ instances.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Claude Finds 13-Year-Old 0-Day RCE Vulnerability in Apache ActiveMQ in 10 Minutes<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\/api\/jolokia\/<\/code> on port 8161.<\/p>\naddNetworkConnector(String)<\/code> management operation on the broker\u2019s MBean and supply a crafted VM transport URI containing an attacker-controlled brokerConfig=xbean:http:\/\/<\/code> parameter.<\/p>\nBrokerFactory.createBroker()<\/code> using the attacker-supplied URL.<\/p>\nApache ActiveMQ RCE Vulnerability<\/strong><\/h2>\n
xbean:<\/code> scheme, then hands the URL to Spring\u2019s ResourceXmlApplicationContext<\/code>, which instantiates all bean definitions in the remote XML file \u2014 allowing arbitrary OS command execution via Spring\u2019s MethodInvokingFactoryBean<\/code> to invoke Runtime.getRuntime().exec()<\/code>.<\/p>\norg.apache.activemq:*<\/code>) to preserve web console functionality. That decision inadvertently unlocked every management operation \u2014 including addNetworkConnector<\/code> \u2014 as an attack surface through Jolokia\u2019s REST API.<\/p>\nadmin:admin<\/code>) are widely present across enterprise environments.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjcplrLbUBnsmnbJ2azPUVNqxQkh0dh91yI8Y_0YZ8l7kYPZoQ5zqIglepL-vTylm6fZ4adySfJ5LGKzzradj74_beMfdIYHQVUR0c-qpSPBjrexKOrSo8e5hW1ZzoHmKOc4nwsFlKAmzOSYHdmNEF6D1Tw-2mNbJy6wSNmHStRbXEDkyG14EJzU0eCPJFO\/s16000\/Apache%2520ActiveMQ.webp?ssl=1\")
\/api\/*<\/code> path in those versions, meaning the Jolokia endpoint requires zero credentials \u2014 making CVE-2026-34197 a no-auth RCE on those builds.<\/p>\nMitigations<\/strong><\/h2>\n
vm:\/\/<\/code> URIs containing brokerConfig=xbean:http<\/code>, POST requests to \/api\/jolokia\/<\/code> with addNetworkConnector<\/code> in the body, and unexpected outbound HTTP connections from the ActiveMQ process. Defenders should also watch for unusual child processes spawned by the ActiveMQ JVM.<\/p>\naddNetworkConnector<\/code> to register vm:\/\/<\/code> transports via the Jolokia API entirely.<\/p>\n