{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/spring-xml/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-34197"},{"cvss":8.5,"id":"CVE-2024-32114"},{"cvss":8.8,"id":"CVE-2022-41678"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["activemq","rce","jolokia","cve-2026-34197","cve-2024-32114","cve-2022-41678","spring-xml"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA remote code execution vulnerability, CVE-2026-34197, has been identified in Apache ActiveMQ Classic, an open-source messaging and Integration Patterns server widely used across industries. This vulnerability, present for 13 years, allows attackers to invoke management operations through the Jolokia API and instruct the broker to retrieve a remote configuration file, leading to OS command execution. This is achieved by bypassing CVE-2022-41678, a previous bug that allowed webshell creation. Additionally, CVE-2024-32114 exposes the Jolokia API to unauthenticated users in ActiveMQ versions 6.0.0 through 6.1.1, enabling potential RCE without authentication. The vulnerability affects ActiveMQ Classic deployments and was addressed in versions 5.19.4 and 6.2.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an Apache ActiveMQ Classic instance running a vulnerable version (prior to 5.19.4 or 6.2.3).\u003c/li\u003e\n\u003cli\u003eIf the instance is running ActiveMQ 6.0.0 through 6.1.1, the attacker leverages CVE-2024-32114 to access the Jolokia API without authentication. Otherwise, the attacker authenticates to the ActiveMQ instance.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes management operations through the Jolokia API to target ActiveMQ\u0026rsquo;s VM transport feature.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a VM transport URI referencing a non-existent broker.\u003c/li\u003e\n\u003cli\u003eActiveMQ creates the broker and accepts a parameter instructing it to load a configuration from a URL controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker hosts a malicious Spring XML configuration file on a remote server.\u003c/li\u003e\n\u003cli\u003eThe ActiveMQ broker retrieves and processes the malicious Spring XML configuration file.\u003c/li\u003e\n\u003cli\u003eThe Spring XML file instantiates bean definitions that execute arbitrary OS commands, achieving remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to complete compromise of the ActiveMQ server, potentially impacting numerous industries relying on this messaging middleware. Attackers could gain unauthorized access to sensitive data, disrupt message queues, and pivot to other systems within the network. The scope of the impact depends on the ActiveMQ deployment and the attacker\u0026rsquo;s objectives. Unauthenticated exploitation via CVE-2024-32114 significantly broadens the attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Apache ActiveMQ Classic to versions 5.19.4 or 6.2.3 or later to address CVE-2026-34197.\u003c/li\u003e\n\u003cli\u003eFor ActiveMQ versions 6.0.0 through 6.1.1, verify the configuration and security constraints to ensure the Jolokia API is not exposed without authentication, mitigating CVE-2024-32114.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;ActiveMQ Jolokia API Access\u0026rdquo; to monitor for unauthorized access attempts to the Jolokia API.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius in case of a successful compromise.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious processes spawned by the ActiveMQ Java process, leveraging the \u0026ldquo;ActiveMQ Suspicious Process Creation\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T14:30:27Z","date_published":"2026-04-08T14:30:27Z","id":"/briefs/2026-04-activemq-rce/","summary":"A remote code execution vulnerability (CVE-2026-34197) in Apache ActiveMQ Classic allows authenticated attackers to invoke management operations through the Jolokia API to retrieve a remote configuration file and execute OS commands, potentially exploitable without authentication via CVE-2024-32114.","title":"Apache ActiveMQ Classic RCE via Jolokia API Exploitation","url":"https://feed.craftedsignal.io/briefs/2026-04-activemq-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Spring-Xml","version":"https://jsonfeed.org/version/1.1"}