{"id":5115,"date":"2026-04-12T05:42:54","date_gmt":"2026-04-12T05:42:54","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/04\/12\/claude-discovers-apache-activemq-bug-hidden-for-13-years\/"},"modified":"2026-04-12T05:42:54","modified_gmt":"2026-04-12T05:42:54","slug":"claude-discovers-apache-activemq-bug-hidden-for-13-years","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2026\/04\/12\/claude-discovers-apache-activemq-bug-hidden-for-13-years\/","title":{"rendered":"Claude Discovers Apache ActiveMQ Bug Hidden for 13 Years"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"https:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/ea721ff9-8ba4-4d88-b386-57e9e1606077.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Phil Muncaster\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>An AI-powered vulnerability-hunting effort helped security researchers discover a flaw in Apache ActiveMQ Classic that they claim was \u201chiding in plain sight\u201d for over a decade.<\/p>\n<p>Horizon3.ai chief architect, Naveen Sunkavally, explained in a blog post, published on April 7, that remote code execution (RCE) bug CVE-2026-34197 should be treated as a high priority for organizations running the open source message broker.<\/p>\n<p>\u201cAn attacker can invoke a management operation through ActiveMQ\u2019s Jolokia API to trick the broker into fetching a remote configuration file and running arbitrary OS commands,\u201d he explained.<\/p>\n<p>\u201cThe vulnerability requires credentials, but default credentials (admin:admin) are common in many environments. On some versions (6.0.0-6.1.1), no credentials are required at all due to another vulnerability, CVE-2024-32114, which inadvertently exposes the Jolokia API without authentication. In those versions, CVE-2026-34197 is effectively an unauthenticated RCE.\u201d<\/p>\n<p><em>Read more on Apache ActiveMQ vulnerabilities: Flaw in Apache ActiveMQ Exposes Linux Systems to Kinsing Malware.<\/em><\/p>\n<p>CVE-2026-34197 was patched in ActiveMQ Classic versions 5.19.4 and 6.2.3, so it\u2019s recommended that users update and ensure no default credentials are in use.<\/p>\n<p>Organizations concerned they may have been compromised via the RCE bug should look in their ActiveMQ broker logs for network connector activity referencing\u00a0vm:\/\/\u00a0URIs with\u00a0brokerConfig=xbean:http.<\/p>\n<p>Other indicators of compromise include:<\/p>\n<ul>\n<li>POST requests to\u00a0\/api\/jolokia\/\u00a0containing\u00a0addNetworkConnector\u00a0in the request body<\/li>\n<li>Outbound HTTP requests from the ActiveMQ broker process to unexpected hosts<\/li>\n<li>Unexpected child processes spawned by the ActiveMQ Java process<\/li>\n<\/ul>\n<h2><strong>AI Finds the Flaw<\/strong><\/h2>\n<p>The discovery of CVE-2026-34197 was \u201c80% Claude,\u201d\u00a0Anthropic&#8217;s AI and \u201c20% gift-wrapping by a human,\u201d Sunkavally explained.<\/p>\n<p>\u201cThese days I always use Claude to take a first pass at source code for vulnerability hunting. I prompt it lightly and set up a target on the network for it to validate findings,\u201d he said.<\/p>\n<p>\u201cA lot of the time, Claude finds interesting stuff but it doesn\u2019t quite rise to the level of a CVE I\u2019d bother reporting. In this case, it did a great job, with nothing more than a couple of basic prompts.\u201d<\/p>\n<p>The flaw had lain hidden for 13 years partly because it involved multiple components developed independently over that time, Sunkavally said. In isolation, each feature looked fine, but they became dangerous when chained together.<\/p>\n<p>\u201cThis is exactly where Claude shone \u2013 efficiently stitching together this path end to end with a clear head free of assumptions,\u201d he continued. \u201cSomething that would have probably taken me a week manually took Claude 10 minutes.\u201d<\/p>\n<p>Sunkavally urged appsec engineers and developers to use tools like Claude in their work, claiming that \u201canyone with a security background can take advantage.\u201d<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>An AI-powered vulnerability-hunting effort helped security researchers discover a flaw in Apache ActiveMQ Classic that they claim was \u201chiding in plain sight\u201d for over a decade. Horizon3.ai chief architect, Naveen Sunkavally, explained in a blog post, published on April 7, that remote code execution (RCE) bug CVE-2026-34197 should be treated as a high priority for<\/p>\n","protected":false},"author":2,"featured_media":5116,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5115","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5115-4e38a2d7-30d8-43be-8fa5-1b734c87a9c9.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5115-4e38a2d7-30d8-43be-8fa5-1b734c87a9c9-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5115-4e38a2d7-30d8-43be-8fa5-1b734c87a9c9.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5115-4e38a2d7-30d8-43be-8fa5-1b734c87a9c9.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5115-4e38a2d7-30d8-43be-8fa5-1b734c87a9c9.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5115-4e38a2d7-30d8-43be-8fa5-1b734c87a9c9.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5115-4e38a2d7-30d8-43be-8fa5-1b734c87a9c9.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5115-4e38a2d7-30d8-43be-8fa5-1b734c87a9c9.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5115-4e38a2d7-30d8-43be-8fa5-1b734c87a9c9.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5115-4e38a2d7-30d8-43be-8fa5-1b734c87a9c9.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5115-4e38a2d7-30d8-43be-8fa5-1b734c87a9c9-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/5115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=5115"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/5115\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/5116"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=5115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=5115"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=5115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}