Apache Under Siege: Exploitation of Tomcat’s PUT & Camel’s Headers for Remote Code Execution

Published Date: July 9, 2025
Category: ShadowOpsIntel
Share:

Palo Alto Networks’ Unit 42 has identified three critical vulnerabilities impacting Apache Tomcat and Apache Camel, disclosed in March 2025. These vulnerabilities, CVE-2025-24813 (Tomcat), CVE-2025-27636, and CVE-2025-29891 (Camel), enable remote code execution (RCE). These flaws represent a significant threat due to the widespread deployment of Tomcat for Java-based web applications and Camel for enterprise messaging and system integration. Shortly after disclosure, proof-of-concept (PoC) exploits were released, and mass scanning and exploitation attempts surged.

Severity Level: High

Threat Details

1. CVE-2025-24813 – Apache Tomcat Partial PUT Remote Code Execution

Description:
This vulnerability stems from Tomcat’s support for partial PUT requests when session persistence is enabled. A crafted HTTP PUT request using the Content-Range header allows an attacker to write serialized payloads into the Tomcat cache directory as session files. By manipulating the JSESSIONID in a follow-up request, the attacker can trigger deserialization and execute malicious code.

Preconditions for Exploitation:

  • readonly=false in web.xml
  • Session persistence enabled in context.xml using PersistentManager

Impact:

  • Allows arbitrary file write and remote code execution
  • High severity when Tomcat is internet-facing

Exploit Pattern:

  • PUT request → .session file saved
  • GET request with cookie → JSESSIONID=.[filename] triggers execution

2. CVE-2025-27636 & CVE-2025-29891 – Apache Camel Header Injection RCE

Description:
Apache Camel uses a case-sensitive filtering mechanism to block internal headers such as CamelExecCommandExecutable. Attackers can bypass this control by manipulating header casing (e.g., CAmelExecCommandExecutable). If vulnerable components like camel-exec are present, these headers can result in direct command execution.

Impact:

  • Affected Camel components can be hijacked to run attacker-supplied commands (e.g., reverse shells)
  • Exploitable via malicious HTTP headers

Root Cause:

  • Inconsistent and case-sensitive filtering in HttpHeaderFilterStrategy.java

3. Exploit Activity and Telemetry
Over 125,856 scans/probes/exploit attempts recorded globally in March 2025

Primary Targets: Internet-facing Tomcat and Camel deployments
Top Scanning Countries: >70 nations involved in probing
Tools like ProjectDiscovery’s Nuclei Scanner used for mass scanning

Common exploit traits:

  1. Session filenames with 6 characters ending in .session
  2. Content-Range: bytes 0-452/457 header

Over 7,800 confirmed CVE-2025-24813 exploitation attempts.

Recommendations:

  1. Ensure Apache Tomcat and Apache Camel are updated with the latest security patches.
  2. Disable partial PUT or restrict Content-Range handling.
  3. Ensure the readonly parameter is set to true in web.xml
  4. Disable session persistence unless absolutely needed: Remove or reconfigure < Manager className=”org.apache.catalina.session.PersistentManager” >
  5. Monitor logs for:
    • PUT requests with .session filenames
    • GET requests with JSESSIONID cookies starting with .
    • Suspicious header values such as CAmelExecCommandExecutable
  6. Sanitize/validate all incoming headers, consider removing risky components like camel-exec.
  7. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/842d44a31237aebaf9a674219e68c0ac35981aa9dbdf7e1b1e9ee2d87ebc5e45/iocs

Source:

  • https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cve-2025-29891/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Talk to an expert