
In a recent deep-dive analysis, Palo Alto Networks’ Unit 42 revealed disturbing insights into a surge of cyberattacks targeting critical vulnerabilities in Apache Tomcat and Apache Camel. These flaws, disclosed in March 2025, have already sparked thousands of exploit attempts across the globe.
The three vulnerabilities — CVE-2025-24813 (Apache Tomcat), CVE-2025-27636, and CVE-2025-29891 (Apache Camel) — all enable remote code execution (RCE), providing threat actors a direct path to hijacking systems.
“Successful exploitation of these vulnerabilities can allow attackers to execute arbitrary code with Tomcat/Camel privileges,” the report warns.
Apache Tomcat, used for running Java web applications, was found to mishandle HTTP PUT requests when partial PUT and session persistence are enabled. In this configuration, attackers can overwrite serialized session files, ultimately triggering malicious code upon deserialization.
The flaw allows remote code execution, affecting Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34 and 11.0.0-M1 to 11.0.2.
Similarly, Apache Camel — a middleware framework — was susceptible due to case-sensitive HTTP header filtering, allowing attackers to inject malicious commands through misformatted headers. One of the Camel vulnerabilities stems from the failure to properly block headers like CAmelExecCommandExecutable, allowing remote commands to slip through. — a testament to their severity and the urgent need for mitigation.
Unit 42’s telemetry tracked 125,856 scans, probes, and exploit attempts in March 2025 alone, from over 70 countries.
“Scans and probes for vulnerable servers were seen in the wild shortly after the disclosures. We have confirmed the potential for remote code execution from these three vulnerabilities,” the report states.
Many of the Tomcat exploit attempts closely resembled templates from the Nuclei Scanner, an open-source tool readily available to both red teams and malicious actors.
“This means that a large number of the CVE-2025-24813 scans we’ve seen so far have used the Nuclei Scanner… making immediate action crucial.”
One exploit involves a two-step process:
- Stage the Payload: An HTTP PUT request uploads a serialized malicious object disguised as a .session file.
- Trigger Execution: A crafted HTTP GET request includes a cookie (JSESSIONID=.[filename]) that tricks Tomcat into deserializing and executing the payload.
Organizations using Apache Tomcat or Camel must act now. Patches have been released, and immediate updates are imperative.
Unit 42 emphasizes:
- Disable Tomcat’s partial PUT and ensure readonly is enabled.
- Validate and sanitize HTTP headers in Camel configurations.
- Monitor for exploit attempts using threat detection tools and check for use of default session names or suspicious Content-Range headers.
Related Posts:
- Severe Apache Camel Exploit (CVE-2025-29891) Disclosed – Technical Details and PoC Released
- Apache Camel Vulnerability (CVE-2025-27636) Exposes Applications to RCE, PoC Releases
- Tomcat Flaw CVE-2025-24813 Exploited in the Wild, PoC Released
- CVE-2025-24813 Flaw in Apache Tomcat Exposes Servers to RCE, Data Leaks: Update Immediately
- CISA Flags Apache Tomcat CVE-2025-24813 as Actively Exploited with 9.8 CVSS