{"id":7888,"date":"2026-04-21T20:28:22","date_gmt":"2026-04-21T20:28:22","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7888"},"modified":"2026-04-21T20:28:22","modified_gmt":"2026-04-21T20:28:22","slug":"thousands-of-apache-activemq-instances-still-unpatched-weeks-after-an-actively-exploited-hole-discovered","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7888","title":{"rendered":"Thousands of Apache ActiveMQ instances still unpatched, weeks after an actively exploited hole discovered"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Two weeks after researchers using an AI tool discovered a major hole in Apache\u2019s ActiveMQ messaging middleware, there are still thousands of unpatched instances open to the internet, more evidence that many application developers and IT leaders aren\u2019t paying close attention to warnings about vulnerabilities.<\/p>\n

While the remote code injection vulnerability [CVE-2026-34197<\/a>] was revealed on April 7, according to statistics from the ShadowServer Foundation<\/a>, there are still almost 6,500 unpatched instances of ActiveMQ open to being abused.<\/p>\n

\u201cThe fact that ShadowServer is still seeing 6,000+ unpatched boxes nearly two weeks later is just mind-blowing,\u201d IT analyst Rob Enderle<\/a> of the Enderle Group told CSO<\/em>. \u201cIn a world where an LLM can help an attacker weaponize a bug the second it\u2019s announced, taking 12 days to patch is essentially a suicide note for your network\u201d.<\/p>\n

Vulnerable are versions of ActiveMQ and ActiveMQ Broker before 5.19.4, and 6.0 to before 6.2.3; this means the flaw could have been exploited for over a decade. ActiveMQ Artemis isn\u2019t affected.<\/p>\n

The issue is so serious that the US Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its known and exploited vulnerability list (KEV)<\/a> this week, urging federal agencies to promptly update their applications.<\/p>\n

The move should also be seen by private sector developers who use ActiveMQ in their applications, and IT and security leaders who have apps using ActiveMQ in their environments, as a cue to act fast and upgrade to patched versions 5.19.4 or 6.2.3.<\/p>\n

Bug found by AI in 10 minutes<\/h2>\n

The hole was discovered by researchers at Horizon3.ai<\/a> using Anthropic\u2019s Claude AI assistant. It took them about 10 minutes, an illustration of how quickly modern AI tools can be used by experts to find vulnerabilities. Anthropic says its limited release Claude Mythos tool is even better than Claude<\/a> at finding flaws.<\/p>\n

Apache says an authenticated attacker can exploit the hole with a crafted discovery URI that triggers a parameter to load a remote Spring XML application context using ResourceXmlApplicationContext<\/em>.\u00a0 Because Spring\u2019s ResourceXmlApplicationContext<\/em> instantiates all singleton beans before the BrokerService<\/em> validates the configuration, arbitrary code execution occurs on the broker\u2019s Java VM through bean factory methods such as Runtime.exec<\/em>.<\/p>\n

\u201cThis vulnerability sat there for 13 years,\u201d noted Enderle. \u201cHumans missed it, scanners missed it, but Claude finds it in what, 10 minutes? That\u2019s a massive capability leap. AI is basically acting like an archeologist for exploits, digging up every skeleton we\u2019ve left in our legacy closets for the last decade.\u201d<\/p>\n

The problem for CSOs is \u201cwe\u2019re basically bringing a knife to an AI gunfight,\u201d he added. \u201cMost IT shops are still stuck in \u2018Human-Speed,\u2019 waiting for a weekend maintenance window or a committee meeting, while the bad guys are running at \u2018Machine-Speed.\u2019 If you aren\u2019t automating your defense and using AI to patch as fast as AI is finding the holes, you aren\u2019t just behind; you\u2019re already breached and just don\u2019t know it yet.\u201d<\/p>\n

Automation is key<\/h2>\n

\u201cIf a company hasn\u2019t patched this by now, it\u2019s moved past a \u2018resource issue\u2019 and straight into professional negligence,\u201d Enderle said. \u201cWe\u2019ve got to stop treating patching like a chore and start treating it like a survival requirement.\u201d<\/p>\n

The fix is simple, but hard for most old-school IT shops to swallow, he noted: Get the humans out of the way. \u201cIf AI is finding holes in minutes,\u201d he said, \u201ca 12-day manual patch cycle is basically an invitation to get robbed.\u201d<\/p>\n

Start by putting together a software bill of materials for every app in your environment, Enderle advised. \u201cWithout it, you\u2019re just guessing what\u2019s under the hood. You need a live, automated inventory, using standards like CycloneDX<\/a>, so the second a bug like this [ActiveMQ] hits, you aren\u2019t scanning. You already know exactly which apps are carrying the poisoned ingredient.\u201d<\/p>\n

Second, he said, auto-patch the small stuff and use automated testing for the big systems. Again, he maintained that if IT is still waiting for a weekend maintenance window or a committee approval to fix a critical flaw, \u201cyou\u2019re playing a 2010 game in a 2026 world.\u201d\u00a0<\/p>\n

\u201cBottom line,\u201d he said: \u201cIf you don\u2019t know what\u2019s in your software, and you can\u2019t fix it faster than an LLM can find it, you\u2019re just a target.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Two weeks after researchers using an AI tool discovered a major hole in Apache\u2019s ActiveMQ messaging middleware, there are still thousands of unpatched instances open to the internet, more evidence that many application developers and IT leaders aren\u2019t paying close attention to warnings about vulnerabilities. While the remote code injection vulnerability [CVE-2026-34197] was revealed on […]<\/p>\n","protected":false},"author":0,"featured_media":7889,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7888","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7888"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7888"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7888\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7889"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7888"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}