CISA tells feds to patch 13-year-old Apache ActiveMQ bug under active attack
Summary
CISA has issued a directive to federal agencies, mandating a two-week deadline for patching a long-standing vulnerability in Apache ActiveMQ. This critical bug, which has been present for over 13 years, is now actively being exploited by attackers.
IFF Assessment
The active exploitation of a known, decade-old vulnerability represents a significant risk to organizations that have not yet patched it.
Defender Context
This directive highlights the persistent threat posed by unpatched legacy vulnerabilities. Defenders should prioritize inventorying and patching Apache ActiveMQ instances, especially those exposed to the internet. The inclusion on CISA's Known Exploited Vulnerabilities (KEV) catalog signifies that agencies must address this flaw to avoid potential enforcement actions and further compromise.