{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/activemq/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":4.3,"id":"CVE-2026-33227"},{"cvss":8.8,"id":"CVE-2026-34197"},{"cvss":7.5,"id":"CVE-2026-40046"},{"cvss":7.5,"id":"CVE-2026-39304"},{"cvss":8.8,"id":"CVE-2026-40466"}],"_cs_exploited":false,"_cs_products":["ActiveMQ"],"_cs_severities":["critical"],"_cs_tags":["activemq","rce","xss","apache"],"_cs_type":"advisory","_cs_vendors":["Apache"],"content_html":"\u003cp\u003eMultiple vulnerabilities in Apache ActiveMQ allow a remote, authenticated attacker to execute arbitrary code or perform cross-site scripting (XSS) attacks. While specific CVEs and attack vectors are not detailed in this advisory, the presence of both RCE and XSS vulnerabilities suggests a high risk to organizations using affected versions of ActiveMQ. Exploitation requires authentication, implying that attackers may need to compromise credentials or exploit other vulnerabilities to gain initial access. This combination of vulnerabilities could lead to complete system compromise, data theft, or service disruption. The lack of specific version information makes it crucial for organizations to identify and patch all potentially vulnerable ActiveMQ instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains valid credentials to access the ActiveMQ management console or API, potentially through credential stuffing, phishing, or exploiting other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eAuthentication: The attacker authenticates to the ActiveMQ instance using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eVulnerability Exploitation (RCE): The attacker exploits a deserialization or other RCE vulnerability to inject malicious code into the ActiveMQ server. This may involve crafting a specific message or request to trigger the vulnerability.\u003c/li\u003e\n\u003cli\u003eCode Execution: The injected code executes within the context of the ActiveMQ server process, granting the attacker control over the system.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (if necessary): The attacker attempts to escalate privileges to gain root or system-level access, depending on the initial privileges of the ActiveMQ process.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the compromised ActiveMQ server as a pivot point to move laterally within the network, targeting other systems and resources.\u003c/li\u003e\n\u003cli\u003eVulnerability Exploitation (XSS): Simultaneously or independently, the attacker exploits an XSS vulnerability within the ActiveMQ web console. This may involve injecting malicious JavaScript code into the console.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker deploys ransomware, exfiltrates sensitive data, or disrupts critical services, depending on their objectives. The XSS vulnerability allows the attacker to steal administrator cookies or inject further malicious content.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to complete compromise of the ActiveMQ server, potentially affecting all connected systems and applications. The lack of specifics makes it difficult to determine the exact number of potential victims; however, given the widespread use of ActiveMQ in enterprise environments, the impact could be significant. Consequences include data breaches, service disruption, financial loss, and reputational damage. The combination of RCE and XSS vulnerabilities allows attackers to pursue a wide range of malicious objectives, from data theft to system destruction.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify all Apache ActiveMQ instances within your environment and determine their versions.\u003c/li\u003e\n\u003cli\u003eConsult the Apache ActiveMQ security advisories to identify specific vulnerabilities affecting your versions and apply the necessary patches.\u003c/li\u003e\n\u003cli\u003eImplement strong authentication and authorization controls to restrict access to the ActiveMQ management console and API.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential exploitation attempts against ActiveMQ instances.\u003c/li\u003e\n\u003cli\u003eReview and harden the ActiveMQ configuration to minimize the attack surface and reduce the risk of exploitation.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a successful compromise of an ActiveMQ instance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T09:09:10Z","date_published":"2026-04-24T09:09:10Z","id":"/briefs/2026-04-activemq-rce-xss/","summary":"An authenticated remote attacker can exploit multiple vulnerabilities in Apache ActiveMQ to execute arbitrary program code or perform cross-site scripting attacks.","title":"Apache ActiveMQ Vulnerabilities Allow RCE and XSS","url":"https://feed.craftedsignal.io/briefs/2026-04-activemq-rce-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-34197"},{"cvss":8.5,"id":"CVE-2024-32114"},{"cvss":8.8,"id":"CVE-2022-41678"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["activemq","rce","jolokia","cve-2026-34197","cve-2024-32114","cve-2022-41678","spring-xml"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA remote code execution vulnerability, CVE-2026-34197, has been identified in Apache ActiveMQ Classic, an open-source messaging and Integration Patterns server widely used across industries. This vulnerability, present for 13 years, allows attackers to invoke management operations through the Jolokia API and instruct the broker to retrieve a remote configuration file, leading to OS command execution. This is achieved by bypassing CVE-2022-41678, a previous bug that allowed webshell creation. Additionally, CVE-2024-32114 exposes the Jolokia API to unauthenticated users in ActiveMQ versions 6.0.0 through 6.1.1, enabling potential RCE without authentication. The vulnerability affects ActiveMQ Classic deployments and was addressed in versions 5.19.4 and 6.2.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an Apache ActiveMQ Classic instance running a vulnerable version (prior to 5.19.4 or 6.2.3).\u003c/li\u003e\n\u003cli\u003eIf the instance is running ActiveMQ 6.0.0 through 6.1.1, the attacker leverages CVE-2024-32114 to access the Jolokia API without authentication. Otherwise, the attacker authenticates to the ActiveMQ instance.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes management operations through the Jolokia API to target ActiveMQ\u0026rsquo;s VM transport feature.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a VM transport URI referencing a non-existent broker.\u003c/li\u003e\n\u003cli\u003eActiveMQ creates the broker and accepts a parameter instructing it to load a configuration from a URL controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker hosts a malicious Spring XML configuration file on a remote server.\u003c/li\u003e\n\u003cli\u003eThe ActiveMQ broker retrieves and processes the malicious Spring XML configuration file.\u003c/li\u003e\n\u003cli\u003eThe Spring XML file instantiates bean definitions that execute arbitrary OS commands, achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to complete compromise of the ActiveMQ server, potentially impacting numerous industries relying on this messaging middleware. Attackers could gain unauthorized access to sensitive data, disrupt message queues, and pivot to other systems within the network. The scope of the impact depends on the ActiveMQ deployment and the attacker\u0026rsquo;s objectives. Unauthenticated exploitation via CVE-2024-32114 significantly broadens the attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Apache ActiveMQ Classic to versions 5.19.4 or 6.2.3 or later to address CVE-2026-34197.\u003c/li\u003e\n\u003cli\u003eFor ActiveMQ versions 6.0.0 through 6.1.1, verify the configuration and security constraints to ensure the Jolokia API is not exposed without authentication, mitigating CVE-2024-32114.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;ActiveMQ Jolokia API Access\u0026rdquo; to monitor for unauthorized access attempts to the Jolokia API.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius in case of a successful compromise.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious processes spawned by the ActiveMQ Java process, leveraging the \u0026ldquo;ActiveMQ Suspicious Process Creation\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T14:30:27Z","date_published":"2026-04-08T14:30:27Z","id":"/briefs/2026-04-activemq-rce/","summary":"A remote code execution vulnerability (CVE-2026-34197) in Apache ActiveMQ Classic allows authenticated attackers to invoke management operations through the Jolokia API to retrieve a remote configuration file and execute OS commands, potentially exploitable without authentication via CVE-2024-32114.","title":"Apache ActiveMQ Classic RCE via Jolokia API Exploitation","url":"https://feed.craftedsignal.io/briefs/2026-04-activemq-rce/"},{"_cs_actors":["LockBit","BITWISE SPIDER","HelloKitty"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["activemq","rce","cve-2023-46604","ransomware"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2023-46604 is a critical remote code execution (RCE) vulnerability affecting Apache ActiveMQ message brokers. This vulnerability allows a remote attacker with network access to the ActiveMQ broker to execute arbitrary shell commands by manipulating serialized class types within the OpenWire protocol. The vulnerability affects Apache ActiveMQ versions 5.16.0 before 5.16.7, 5.17.0 before 5.17.6, 5.18.0 before 5.18.3, and before 5.15.16, as well as corresponding versions of the Legacy OpenWire…\u003c/p\u003e\n","date_modified":"2026-02-25T09:22:01Z","date_published":"2026-02-25T09:22:01Z","id":"/briefs/2026-02-activemq-rce/","summary":"CVE-2023-46604 is a remote code execution vulnerability affecting Apache ActiveMQ that is actively exploited in the wild by ransomware operators, allowing remote attackers to execute arbitrary shell commands.","title":"Active Exploitation of Apache ActiveMQ RCE Vulnerability (CVE-2023-46604)","url":"https://feed.craftedsignal.io/briefs/2026-02-activemq-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Activemq","version":"https://jsonfeed.org/version/1.1"}