The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday that a high-severity Apache ActiveMQ vulnerability patched earlier this month is now actively exploited in attacks. Apache ActiveMQ is the most popular open-source Java-based message broker for asynchronous communication between applications. Tracked as CVE-2026-34197, the security flaw has gone undetected for 13 years and was discovered by Horizon3 researcher Naveen Sunkavally using the Claude AI assistant. Sunkavally explained that the vulnerability stems from improper input validation, which allows authenticated threat actors to execute arbitrary code via injection attacks. The Apache maintainers patched the vulnerability on March 30in ActiveMQ Classic versions 6.2.3 and 5.19.4. "We recommend organizations running ActiveMQ treat this as a high priority, as ActiveMQ has been a repeated target for real-world attackers, and methods for exploitation and post-exploitation of ActiveMQ are well-known," Horizon3 warned. Threat monitoring service ShadowServer is currently tracking more than 7,500 Apache ActiveMQ servers exposed online. ​​​On Thursday, CISA added CVE-2026-34197 to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch ActiveMQ servers within two weeks, by April 30, as mandated by Binding Operational Directive (BOD) 22-01. Horizon3 researchers said that signs of exploitation can be found by analyzing the ActiveMQ broker logs and recommended looking for suspicious broker connections that use the brokerConfig=xbean:http:// query parameter and the internal transport protocol VM.