CVEs - Accessible ActiveMQ Service Report
The Apache ActiveMQ Service - Known Exploited Vulnerabilities in ActiveMQ
| CVE Report | Vendor | Product | CVSSv3 |
|---|---|---|---|
| CVE-2026-34197 | Apache Software Foundation | Apache ActiveMQ Broker | 8.8 |
| CVE-2023-46604 | Apache Software Foundation | Java OpenWire protocol | 10.0 |
Description
The ActiveMQ Service is a Java-based open source project developed by the Apache Software Foundation. There are currently two (2) versions of ActiveMQ: Classic and Artemis. Apache plan to support only the ActiveMQ Artemis version once Artemis has evolved to include all of the features curently available in the Classic version.
The ActiveMQ project was originally created by its founders from LogicBlaze in 2004, as an open source message broker, hosted by CodeHaus. The code and ActiveMQ trademark were donated to the Apache Software Foundation in 2007, where the founders continued to develop the codebase with the extended Apache community.
The Apache Software Foundation developed ActiveMQ into an open source protocol which functions as an implementation of message-oriented middleware (MOM). Its basic function is to send messages between different applications, but includes additional features like the Simple Text Oriented Message Protocol (STOMP), Java Message Service (JMS), and the OpenWire Protocol.
Message brokers like Apache ActiveMQ are often found in enterprise systems — or any systems that have a complex architecture. The goal of the implementation is to create reliable communication between the various components of the enterprise system.
ActiveMQ Artemis is an open source project for an asynchronous messaging system. It originates from the HornetQ messaging system which was donated to Apache in 2014. It retains compatibility with HornetQ while adding many interesting features. It is high performance, embeddable, clustered and supports multiple protocols. JBoss EAP 7 uses Apache ActiveMQ Artemis as its JMS broker and is configured using the messaging-activemq subsystem.
ActiveMQ Artemis has a plugable protocol architecture. Protocol plugins come in the form of ActiveMQ Artemis protocol modules. Each protocol module can be added to the brokers class path and are loaded by the broker at boot time.
ActiveMQ Artemis ships with 5 protocol modules out of the box. The five (5) modules offer support for the protocols listed below. In addition to the protocols ActiveMQ Artemis support, it also offers support for it's own highly performant native protocol "Core".
ActiveMQ Artemis offer support for the following Protocols.
| No. | Acronym | Protocol Name |
|---|---|---|
| 1. | AMQP | Advance Message Queuing Protocol |
| 2. | OpenWire | OpenWire Protocol |
| 3. | MQTT | Message Queuing Telemetry Transport Protocol |
| 4. | STOMP | Simple Text Oriented Message Protocol |
| 5. | HornetQ | HornetQ Protocol |
| 6. | Core | Core Native Protocol |
The Apache ActiveMQ Service listens on port 61616/TCP.
Problem
CVE-2026-34197 in Apache ActiveMQ is a high-severity remote code execution flaw that stems from insecure handling of the Jolokia management API, where attackers can send crafted requests that force the broker to load a malicious remote configuration (e.g., a Spring XML file) and execute arbitrary system commands during initialization
Although the vulnerability typically requires authenticated access, real-world exploitation is made practical because default credentials are often left unchanged or because a separate issue can expose the API without authentication, effectively lowering the barrier to entry. Threat actors are actively exploiting this by targeting exposed ActiveMQ instances, abusing the management interface to achieve full control of the broker
CVE-2023-46604 is a vulnerability that exists in two different customer environments. In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organisations. Based on the ransom note and available evidence, the activity was attributed to the HelloKitty ransomware family, whose source code was leaked on a forum in early October 2023. Rapid7 observed similar indicators of compromise across the affected customer environments, both of which were running outdated versions of Apache ActiveMQ.
On the 20th Nov 2023, the Cyber Security Company Trend Micro reported the active exploitation of the CVE-2023-46604 vulnerability to download and infect Linux systems with the Kinsing malware (also known as h2miner) and cryptocurrency miner.
Recommendations.
Secure ActiveMQ by minimising exposure, enforcing strong authentication and least-privilege authorisation, disabling unnecessary interfaces and features, and keeping the system continuously patched and monitored for suspicious activity.
1. Network Exposure
- Do not expose broker ports to the public internet (e.g. 61616, 61617, 61614)
- Restrict access to internal networks only
- Use firewalls or security groups to limit traffic
- Place brokers behind internal load balancers or service meshes
2. Authentication
- Disable anonymous access
- Avoid default credentials
- Use strong authentication mechanisms
- Integrate with centralised identity systems where possible
3. Authorisation
- Implement role-based access control
- Apply least privilege principles
- Restrict queue and topic creation permissions
- Avoid wildcard permissions in production
4. Management Interfaces
- Disable web console if not needed
- Restrict access by IP allowlisting
- Protect interfaces with VPN or authentication proxies
- Secure or disable JMX/Jolokia endpoints
5. Patch Management
- Keep ActiveMQ updated to the latest supported version
- Monitor security advisories and CVEs
- Apply patches promptly
- Track KEV-listed vulnerabilities
6. Serialisation and Protocol Security
- Disable unsafe deserialisation where possible
- Restrict trusted Java packages
- Disable unused messaging protocols
- Validate message size and structure
7. System Hardening
- Run ActiveMQ under a non-root user
- Use OS-level security controls such as SELinux or AppArmor
- Isolate broker processes in containers when possible
8. Monitoring and Logging
- Enable detailed broker logging
- Monitor authentication attempts and anomalies
- Forward logs to a SIEM system
- Alert on unusual traffic patterns or errors
9. Configuration Hygiene
- Remove default queues and sample configurations
- Audit connection factories and plugins
- Disable unused features and connectors
10. Architecture Best Practices
- Separate environments (dev, staging, production)
- Avoid shared multi-tenant brokers without isolation
- Use message gateways for validation where appropriate
Common Vulnerabilities & Exposures (CVEs)
Systems used for reporting and assessing the severity of security vulnerabilities.
| No. | System | Description |
|---|---|---|
| 1. | Common Vulnerabilities and Exposures (CVE). | The CVE system is used to identify, define, catalogue and publicly disclosed known information-security vulnerabilities and exposures. |
| 2. | The Common Vulnerability Scoring System (CVSS). | CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It provides a numerical (0-10) representation of the severity of an information security vulnerability. |
CVSSv3.0 Metrics.
| No. | Base Score Range | Severity |
|---|---|---|
| 1. | 0.0 | None |
| 2. | 0.1 - 3.9 | Low |
| 3. | 4.0 - 6.9 | Medium |
| 4. | 7.0 - 8.9 | High |
| 5. | 9.0 - 10.0 | Critical |
Additional Information
Shadowserver Foundation - Accessible ActiveMQ Service Report.Apache ActiveMQ - Flexible & Powerful Open Source Multi-Protocol Messaging.
Rapid7 - Suspected Exploitation of Apache ActiveMQ CVE-2023-46604.
The Register - Critical Apache ActiveMQ flaw under attack by 'clumsy' ransomware crims.
Debian LTS Advisory DLA-3657-1 - ActiveMQ Security Update.
CVE-2023-46604 (Apache ActiveMQ) Exploited to infect Systems with Cryptominers and Rootkits.
ActiveMQ Artemis - Apache ActiveMQ Artemis User Manual.