Active Exploitation of Vulnerabilities in Apache Tomcat and Camel

In March 2025, the Apache Software Foundation disclosed several high-severity vulnerabilities impacting two of its most widely deployed platforms: Apache Tomcat and Apache Camel.

Within days, active scanning and exploitation attempts surged worldwide, prompting urgent patching advisories from security researchers and vendors.

Critical Flaws Uncovered

The standout vulnerability, CVE-2025-24813, affects Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2.

This flaw enables remote code execution (RCE) if Tomcat is configured with HTTP session persistence and non-readonly PUT operations are enabled.

At its core, the vulnerability exploits Tomcat’s handling of partial HTTP PUT requests that contain the Content-Range header.

Attackers can craft a PUT request to overwrite serialized session files, injecting malicious payloads, and then trigger them via a crafted session ID in a follow-up GET request, leading to arbitrary code execution with Tomcat privileges.

Almost simultaneously, two RCE vulnerabilities—CVE-2025-27636 and CVE-2025-29891 were revealed in Apache Camel, impacting versions 4.10.0 to 4.10.1, 4.8.0 to 4.8.4, and 3.10.0 to 3.22.3.

Here, attackers manipulate HTTP headers with subtle case changes, bypassing Camel’s internal header filtering mechanisms.

If an application includes specific Camel components (such as camel-exec), a specially crafted HTTP header can lead Camel to execute arbitrary system commands.

Exploitation in the Wild and Mitigations

Security researchers quickly developed and released proof-of-concept exploits. Telemetry from Palo Alto Networks indicated over 125,000 probes and exploitation attempts in March alone, many of which utilized automated tools such as the Nuclei Scanner.

Attackers targeted servers globally, attempting to deploy malware, obtain remote shells, or gain persistent access to vulnerable systems.

Indicators of compromise include unexpected session files, suspicious HTTP requests with six-character session names, and headers like CAmelExecCommandExecutable. Multiple source IP addresses associated with scanning activity have also been published.

Mitigation is clear: organizations running affected Tomcat or Camel versions must apply the latest security patches without delay.

If patching is not immediately possible, disabling partial PUT support, Tomcat session persistence, and restricting HTTP header processing in Camel serve as temporary mitigations.

Palo Alto Networks and other security vendors have updated their firewall and threat intelligence products to detect and block related exploit attempts.

With Apache Tomcat and Camel forming the backbone of millions of web and integration applications, the criticality of these flaws cannot be overstated.

The rapid weaponization of public exploits underscores the urgent need for prompt patching and vigilant monitoring of enterprise environments.

Indicators of Compromise

Source IP addresses seen for CVE-2025-24813

167.172.67[.]75

54.193.62[.]84

96.113.95[.]10

209.189.232[.]134

162.241.149[.]101