{"id":233661,"date":"2026-04-17T13:09:00","date_gmt":"2026-04-17T17:09:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/17\/cisa-tells-feds-to-patch-13-year-old-apache-activemq-bug-the-register\/"},"modified":"2026-04-20T22:55:09","modified_gmt":"2026-04-21T02:55:09","slug":"cisa-tells-feds-to-patch-13-year-old-apache-activemq-bug-the-register","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/17\/cisa-tells-feds-to-patch-13-year-old-apache-activemq-bug-the-register\/","title":{"rendered":"CISA tells feds to patch 13-year-old Apache ActiveMQ bug \u2022 The Register"},"content":{"rendered":"<p><a href=\"https:\/\/www.theregister.com\/2026\/04\/17\/cisa_tells_feds_to_patch\/\">CISA tells feds to patch 13-year-old Apache ActiveMQ bug \u2022 The Register<\/a><\/p>\n<p><a href=\"https:\/\/www.theregister.com\/2026\/04\/17\/cisa_tells_feds_to_patch\/\">https:\/\/www.theregister.com\/2026\/04\/17\/cisa_tells_feds_to_patch\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-17 13:09:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.theregister.com\">www.theregister.com<\/a><\/p>\n<p>CISA is sounding the alarm on a newly-exploited Apache ActiveMQ bug, ordering federal agencies to patch within two weeks as attackers circle a flaw that&#8217;s been quietly lurking for more than a decade.<\/p>\n<p>The US cybersecurity agency added the bug, tracked as CVE-2026-34197, to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, triggering a Binding Operational Directive (BOD) 22-01 deadline that gives Federal Civilian Executive Branch agencies until April 30 to fix their systems or get ready to explain why not.<\/p>\n<p>The bug sits in Apache ActiveMQ, an open source message broker used to shuttle data between applications and services, and allows an authenticated user to execute arbitrary code via the broker&#8217;s Jolokia management API \u2013 effectively turning a messaging workhorse into a remote command runner.<\/p>\n<p>It was disclosed just over a week ago by Horizon3 researcher Naveen Sunkavally, who used Anthropic&#8217;s Claude AI assistant to help dig it out. According to Horizon3, the issue has been sitting in the codebase for 13 years, unnoticed until now. Patches are available in ActiveMQ versions 5.19.5 and 6.2.3.<\/p>\n<p>&#8220;CVE-2026-34197 is a remote code execution vulnerability in Apache ActiveMQ Classic that has been hiding in plain sight for 13 years,&#8221; Sunkavally said. &#8220;An attacker can invoke a management operation through ActiveMQ&#8217;s Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS commands.&#8221;<\/p>\n<p>While the bug technically requires authentication, Horizon3 notes that many deployments still rely on default credentials \u2013 the ever-reliable &#8220;admin:admin&#8221; \u2013\u00a0 making initial access trivial. Worse, on certain versions (6.0.0 through 6.1.1), an older flaw, CVE-2024-32114, can expose the Jolokia API without authentication entirely, turning this into a no-credentials-needed remote code execution chain.<\/p>\n<p>&#8230;<br \/>\n<br \/><a href=\"https:\/\/www.theregister.com\/2026\/04\/17\/cisa_tells_feds_to_patch\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA tells feds to patch 13-year-old Apache ActiveMQ bug \u2022 The Register https:\/\/www.theregister.com\/2026\/04\/17\/cisa_tells_feds_to_patch\/ Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":233662,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/regmedia.co.uk\/2015\/06\/16\/angle_grinder_image_via_shutterstock.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,27],"class_list":["post-233661","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/233661"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=233661"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/233661\/revisions"}],"predecessor-version":[{"id":233663,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/233661\/revisions\/233663"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/233662"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=233661"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=233661"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=233661"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}