CISA: 13-Year-Old ActiveMQ Flaw Found by Claude AI Now Under Active Exploit

CISA added CVE-2026-34197, a high-severity Apache ActiveMQ vulnerability, to its Known Exploited Vulnerabilities catalog this week, giving federal agencies until April 30 to patch under BOD 22-01. The flaw sat undetected in the popular Java message broker for 13 years until Horizon3 researcher Naveen Sunkavally surfaced it using Anthropic’s Claude assistant. It stems from improper input validation and lets authenticated attackers achieve arbitrary code execution through injection, patched on March 30 in ActiveMQ Classic 6.2.3 and 5.19.4.

ShadowServer counts more than 7,500 ActiveMQ instances exposed to the internet, and the broker has a long history as an attacker target - CISA previously flagged CVE-2023-46604 (weaponized by TellYouThePass ransomware) and CVE-2016-3088 as actively exploited. Defenders should hunt broker logs for suspicious connections using the brokerConfig=xbean:http:// query parameter alongside the VM internal transport protocol, both indicators tied to exploitation attempts.

The discovery is a notable data point on AI-assisted vulnerability research: a human researcher paired with an LLM produced a working finding in code that survived more than a decade of human review. Expect the pattern - and the resulting disclosures - to accelerate.