A researcher at Horizon3.ai, Naveen Sunkavally, used Anthropic’s Claude AI to uncover CVE-2026-34197, a remote code execution (RCE) vulnerability in Apache ActiveMQ Classic. This flaw entered the codebase 13 years ago and persisted undetected until Claude pieced together its attack path. Apache patched it in late March 2026 with versions 6.2.3 and 5.19.4. No active exploits appear in the wild yet, but ActiveMQ’s history of abuse in ransomware and malware campaigns makes this urgent.
ActiveMQ Classic serves as an open-source message broker for Java-based enterprise systems, handling asynchronous communication. It powers everything from financial services to logistics. The vuln stems from improper input validation in Jolokia, JMX, network connectors, and VM transports—features developed separately over years. Attackers chain them to inject code via a crafted vm:// URI with brokerConfig=xbean:http, tricking the broker into fetching and executing arbitrary payloads over HTTP.
Vulnerability Mechanics
Sunkavally fed Claude the ActiveMQ source code and asked it to hunt for RCE paths. The AI mapped the full chain without human biases clouding judgment. Normally, it requires credentials, but default creds like admin:admin plague many deployments. Worse, versions 6.0.0 to 6.1.1 expose Jolokia unauthenticated due to CVE-2024-32114, turning this into zero-auth RCE.
In detail: An attacker POSTs to /api/jolokia/ with an addNetworkConnector payload embedding the malicious URI. The broker creates a connector, pulls config from a remote HTTP server the attacker controls, and runs it. Sunkavally stresses it’s “obvious in hindsight,” but the multi-component nature hid it. AI excels here by exhaustively exploring interactions humans might skip.
ActiveMQ Artemis, the modern fork, dodges this entirely due to architectural differences. Still, Classic lingers in production—many orgs stick with stable 5.x branches.
Mitigation and Detection
Upgrade immediately to ActiveMQ Classic 6.2.3 or 5.19.4. No workarounds exist; disable Jolokia or network connectors if patching lags, but that’s risky.
Hunt for compromise with these IOCs in broker logs:
- Network connector activity with
vm://URIs containingbrokerConfig=xbean:http. - POSTs to
/api/jolokia/withaddNetworkConnectorin the body. - Unexpected outbound HTTP from the ActiveMQ process.
- Child processes spawned by the Java broker process.
Scan networks for exposed ActiveMQ instances on default ports like 8161 (web console) or 61616 (OpenWire). Tools like Nuclei or custom scripts detect it post-disclosure.
Why This Matters
ActiveMQ vulns have fueled real attacks before. In 2023, attackers exploited misconfigs for ransomware entry. This RCE rivals those in severity—full server compromise. Enterprises run millions of ActiveMQ brokers; Shodan shows over 10,000 exposed globally, many on unpatched versions.
AI’s role intrigues but warrants skepticism. Claude accelerated discovery, but Sunkavally verified and reported it. AI hallucinates; it needs human oversight. Expect more AI-aided finds, shifting bug hunting from manual grinds to guided explorations. For security teams, this underscores auditing old codebases—13 years is an eternity in software.
Organizations delay at peril. Public PoCs will spawn exploits. Patch, monitor, and rethink legacy brokers. Artemis offers a safer path forward, but migration takes time. Act now.
