Apache published multiple critical vulnerabilities in its widely deployed software, igniting an immediate wave of exploit activity targeting organizations worldwide.
Chief among these was CVE-2025-24813, a remote code execution (RCE) vulnerability in Apache Tomcat, alongside two RCE flaws CVE-2025-27636 and CVE-2025-29891 in Apache Camel, the popular integration framework.
Initial telemetry from Palo Alto Networks revealed more than 125,000 scans, probes, and exploit attempts in less than a month, underscoring the high-value target status of these platforms, which underpin millions of Java-based web applications and enterprise integrations.
Tomcat and Camel Flaws
CVE-2025-24813 targets Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2, leveraging a flaw in the partial PUT implementation.
When Tomcat is misconfigured to permit writable directories and session persistence typically when the readonly parameter is set to false remote attackers can manipulate how session files are written and deserialized, culminating in arbitrary code execution on the server.
This attack is executed in two stages: first, the adversary crafts an HTTP PUT request to stage a serialized payload; second, a specially-crafted HTTP GET request, with a manipulated JSESSIONID cookie, triggers deserialization and payload execution.
Researchers quickly released proof-of-concept exploits, and signs point to widespread adoption of automated scanners like Nuclei, as evidenced by common session-name and Content-Range patterns observed in exploit attempts.
Meanwhile, the Apache Camel vulnerabilities CVE-2025-27636 and CVE-2025-29891 affect versions 4.10.0 to 4.10.1, 4.8.0 to 4.8.4, and 3.10.0 to 3.22.3.
These flaws center on HTTP header filtering in Camel’s HTTP components (such as Jetty and Netty).
Because Camel’s filter is case-sensitive, specially crafted headers (e.g., “CAmelExecCommandExecutable”) bypass internal protections and ultimately allow arbitrary command execution through manipulated integration routes a particularly dangerous scenario in enterprises using dynamic route definitions and external inputs.
Exploits for these vulnerabilities frequently include commands to establish reverse shells or contact external testing servers, facilitating both reconnaissance and persistent access.
High Risk for Enterprises
The critical severity of these vulnerabilities, combined with their ease of exploitation even by relatively unskilled attackers using public tools makes them a prime target for cybercriminals.
Attacks have already been detected from over 70 countries, with a surge immediately following vulnerability disclosure.
Palo Alto Networks recommends urgent patching for all affected Apache Tomcat and Camel instances, alongside reviewing security controls, disabling unnecessary writable directories, and enhancing monitoring for suspicious HTTP requests and headers.
Organizations running Palo Alto Networks Next Generation Firewalls with Advanced Threat Prevention, URL Filtering, and DNS Security are better shielded, as these tools can block exploit attempts and detect malicious command-and-control activity.
For additional visibility, products such as Cortex Xpanse and Cortex XSIAM can help surface at-risk assets, and consulting with incident response teams is advised if compromise is suspected.
Indicators of Compromise (IOCs)
| Vulnerability | Detected IP Addresses | Example Exploit Activity | Payload Hashes (SHA256) | Key HTTP Headers/URLs |
|---|---|---|---|---|
| CVE-2025-24813 | 54.193.62[.]84 96.113.95[.]10 209.189.232[.]134 162.241.149[.]101 167.172.67[.]75 100.65.135[.]245 138.197.82[.]147 123.16.159[.]102 193.53.40[.]18 91.208.206[.]203 212.56.34[.]85 195.164.49[.]70 185.91.127[.]9 | PUT /qdigu/session PUT /UlOLJo.session | 6a9a0a3f0763a359737da801a48c7a0a7a75d6fa810418216628891893773540 6b7912e550c66688c65f8cf8651b638defc4dbeabae5f0f6a23fb20d98333f6b | JSESSIONID cookie, Partial PUT, Content-Range |
| CVE-2025-27636 CVE-2025-29891 | 30.153.178[.]49 54.147.173[.]17 54.120.8[.]214 139.87.112[.]169 139.87.112[.]115 64.39.98[.]52 139.87.112[.]98 139.87.113[.]24 64.39.98[.]139 54.96.66[.]57 138.197.82[.]147 22.85.196[.]34 64.39.98[.]245 64.39.98[.]9 54.120.8[.]207 130.212.99[.]156 139.87.112[.]121 139.87.113[.]26 | HTTP requests injecting commands Contacting OAST servers | N/A | CAmelHttpResponseCode, CAmelExecCommandExecutable, CAmelExecCommandArgs, CAmelBeanMethodName |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Microsoft Acknowledges Firewall Error After Recent Windows Update")
%20(1)%20(1).webp?w=1200&resize=1200,0&ssl=1 "Microsoft Edge Fixes Actively Exploited Chromium Vulnerability")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "12-Year-Old Sudo Vulnerability Exposes Linux Systems to Privilege Escalation")
