Apache ActiveMQ Classic Carries 13-Year-Old RCE Risk via Unauthenticated Jolokia API

Security researchers disclosed an RCE vulnerability in Apache ActiveMQ Classic that has existed undetected for 13 years. The core RCE requires authentication, but a separate flaw exposes the Jolokia JMX API endpoint without authentication — providing a practical exploitation path.

Apache ActiveMQ Classic is widely deployed as a message broker in enterprise Java environments. Organizations should apply the available patch immediately and audit whether the Jolokia endpoint is exposed externally. The combination of a 13-year lifespan and wide deployment makes this a significant patching priority even before active exploitation is confirmed.