MEDIUM: Accessible ActiveMQ Service Report

DESCRIPTION LAST UPDATED: 2026-04-20

DEFAULT SECURITY LEVEL: MEDIUM

Introduction

This report identifies accessible Apache ActiveMQ servers on port 61616/TCP. ActiveMQ is a popular open source multi-protocol message broker.

ActiveMQ has a set of security features which should be enabled if possible.

Additionally, different ActiveMQ versions have had multiple CVE found in them in the past.

CVE-2026-34197 (Apache ActiveMQ Improper Input Validation Vulnerability). This is known exploited in the wild and on CISA KEV. This is a version based check. Tagged as cve-2026-34197.Check for patch info at https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt. [tagging first added 2026-04-17].
CVE-2023-46604 (Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack) was disclosed on the 27th of October 2023. As described in the NVD entry for CVE-2023-46604 the vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue. Tagged as cve-2023-46604. See https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt

How we scan

We scan by sending an equivalent of a “hello” using the OpenWire protocol WireFormatInfo request and expecting a BrokerInfo response.

We determine a vulnerability through a version check only.

We do not perform any intrusive checks on a discovered service.

Events with a CVE tag are assigned severity level CRITICAL.

Dashboard

You can track accessible ActiveMQ servers on our Dashboard. You can then select the cve-2026-34197 or select the cve-2023-46604 tag to view instances with that particular vulnerability.

Mitigation

If you receive a report from us with an accessible ActiveMQ service, make sure it is configured appropriately according to your security policy which may include restriction to trusted sources only.

If you received a report with events tagged cve-2026-34197 or cve-2023-46604 make sure to investigate for possible compromise and patch!

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report has an IPv4 and IPv6 version.

Filename: scan_activemq, scan6_activemq

Fields

timestamp

Time that the IP was probed in UTC+0
severity

Severity level
ip

The IP address of the device in question
protocol

Protocol that response came on (always TCP)
port

Port that the response came from (typically 61616/TCP)
hostname

Reverse DNS name of the device in question
tag

Tag set to activemq only if not found vulnerable. A cve-2026-34197 or cve-2023-46604 tag will be set if the ActiveMQ service is found vulnerable to one of these CVEs.
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
naics

North American Industry Classification System Code
hostname_source

Hostname source
sector

Sector of the device in question
command

Command sent (WireFormatInfo)
vendor

ActiveMQ vendor
version

ActiveMQ service version

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","command","vendor","version"
"2010-02-10 00:00:00",medium,192.168.0.1,tcp,61616,node01.example.com,activemq;cve-2023-46604,64512,ZZ,Region,City,0,,,WireFormatInfo,ActiveMQ,5.17.4
"2010-02-10 00:00:01",medium,192.168.0.2,tcp,61616,node02.example.com,activemq;cve-2023-46604,64512,ZZ,Region,City,0,,,WireFormatInfo,ActiveMQ,5.16.5
"2010-02-10 00:00:02",medium,192.168.0.3,tcp,61616,node03.example.com,activemq;cve-2023-46604,64512,ZZ,Region,City,0,,,WireFormatInfo,ActiveMQ,5.15.2

Our 141 Report Types

« Back to Network Reporting