Palo Alto Networks’ Unit 42 has identified three critical vulnerabilities impacting Apache Tomcat and Apache Camel, disclosed in March 2025. These vulnerabilities, CVE-2025-24813 (Tomcat), CVE-2025-27636, and CVE-2025-29891 (Camel), enable remote code execution (RCE). These flaws represent a significant threat due to the widespread deployment of Tomcat for Java-based web applications and Camel for enterprise messaging and system integration. Shortly after disclosure, proof-of-concept (PoC) exploits were released, and mass scanning and exploitation attempts surged.
Severity Level: High
Threat Details
1. CVE-2025-24813 – Apache Tomcat Partial PUT Remote Code Execution
Description:
This vulnerability stems from Tomcat’s support for partial PUT requests when session persistence is enabled. A crafted HTTP PUT request using the Content-Range header allows an attacker to write serialized payloads into the Tomcat cache directory as session files. By manipulating the JSESSIONID in a follow-up request, the attacker can trigger deserialization and execute malicious code.
Preconditions for Exploitation:
- readonly=false in web.xml
- Session persistence enabled in context.xml using PersistentManager
Impact:
- Allows arbitrary file write and remote code execution
- High severity when Tomcat is internet-facing
Exploit Pattern:
- PUT request → .session file saved
- GET request with cookie → JSESSIONID=.[filename] triggers execution
2. CVE-2025-27636 & CVE-2025-29891 – Apache Camel Header Injection RCE
Description:
Apache Camel uses a case-sensitive filtering mechanism to block internal headers such as CamelExecCommandExecutable. Attackers can bypass this control by manipulating header casing (e.g., CAmelExecCommandExecutable). If vulnerable components like camel-exec are present, these headers can result in direct command execution.
Impact:
- Affected Camel components can be hijacked to run attacker-supplied commands (e.g., reverse shells)
- Exploitable via malicious HTTP headers
Root Cause:
- Inconsistent and case-sensitive filtering in HttpHeaderFilterStrategy.java
3. Exploit Activity and Telemetry
Over 125,856 scans/probes/exploit attempts recorded globally in March 2025
Primary Targets: Internet-facing Tomcat and Camel deployments
Top Scanning Countries: >70 nations involved in probing
Tools like ProjectDiscovery’s Nuclei Scanner used for mass scanning
Common exploit traits:
- Session filenames with 6 characters ending in .session
- Content-Range: bytes 0-452/457 header
Over 7,800 confirmed CVE-2025-24813 exploitation attempts.
Recommendations:
- Ensure Apache Tomcat and Apache Camel are updated with the latest security patches.
- Disable partial PUT or restrict Content-Range handling.
- Ensure the readonly parameter is set to true in web.xml
- Disable session persistence unless absolutely needed: Remove or reconfigure < Manager className=”org.apache.catalina.session.PersistentManager” >
- Monitor logs for:
- PUT requests with .session filenames
- GET requests with JSESSIONID cookies starting with .
- Suspicious header values such as CAmelExecCommandExecutable
- Sanitize/validate all incoming headers, consider removing risky components like camel-exec.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/842d44a31237aebaf9a674219e68c0ac35981aa9dbdf7e1b1e9ee2d87ebc5e45/iocs
Source:
- https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cve-2025-29891/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.