The Apache Foundation disclosed several critical vulnerabilities affecting two of its widely used software platforms, Apache Tomcat and Apache Camel, sparking immediate concern among cybersecurity experts and organizations worldwide.
Apache Tomcat, a popular platform for running Java-based web applications, was found to have a severe flaw identified as CVE-2025-24813.
This vulnerability, impacting versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2, allows remote code execution (RCE) by exploiting the partial PUT feature when session persistence is enabled.
Critical Flaws in Popular Apache Software Exposed
The flaw enables attackers to overwrite serialized session files on disk through crafted HTTP requests, ultimately executing malicious code with Tomcat privileges.
Simultaneously, Apache revealed two additional RCE vulnerabilities in Apache Camel, a message routing middleware framework, labeled as CVE-2025-27636 and CVE-2025-29891.
These affect versions 4.10.0 to 4.10.1, 4.8.0 to 4.8.4, and 3.10.0 to 3.22.3, allowing attackers to bypass header filters due to case-sensitive logic and execute arbitrary commands, potentially leading to reverse shell attacks.
The disclosure of these vulnerabilities triggered a swift response from the cyber threat landscape, with researchers publishing proof-of-concept (PoC) exploits and scans for vulnerable servers detected in the wild shortly after the announcements.
Palo Alto Networks reported blocking 125,856 probes, scans, and exploit attempts related to these flaws in March 2025 alone, originating from over 70 countries.
Rapid Exploitation
The activity peaked within the first week of disclosure, indicating the presence of automated scanners like the Nuclei Scanner and active exploitation attempts.
For CVE-2025-24813, exploit attempts often involved staging malicious payloads via HTTP PUT requests with specific session names and Content-Range headers, followed by HTTP GET requests to trigger deserialization of the malicious code.
Similarly, Apache Camel exploits leveraged manipulated headers to execute commands, with some attempts aiming to establish connections to out-of-band application security testing (OAST) servers.
The ease of exploiting these flaws, coupled with the widespread use of Apache software by millions of developers, underscores their severity, as successful attacks could lead to data breaches or lateral network movement.
Palo Alto Networks has urged organizations to apply patches immediately, emphasizing that their Next Generation Firewall with Advanced Threat Prevention, Advanced URL Filtering, and Cortex Xpanse can help mitigate risks by identifying and blocking malicious traffic and external-facing vulnerable servers.
For those suspecting a compromise, the Unit 42 Incident Response team is available for assistance. Below is a table summarizing key Indicators of Compromise (IoCs) observed in these attacks.
Indicators of Compromise (IoCs
| Vulnerability | Type | Details |
|---|---|---|
| CVE-2025-24813 (Tomcat) | Source IP Addresses | 54.193.62.84, 96.113.95.10, 209.189.232.134, 162.241.149.101, 167.172.67.75, etc. |
| Activity URLs | PUT /qdigu/session, PUT /UlOLJo.session | |
| SHA256 Hash of Payloads | 6a9a0a3f0763a359737da801a48c7a0a7a75d6fa810418216628891893773540, etc. | |
| CVE-2025-27636, CVE-2025-29891 (Camel) | Source IP Addresses | 30.153.178.49, 54.147.173.17, 54.120.8.214, 139.87.112.169, 64.39.98.52, etc. |
| Activity Headers | CAmelHttpResponseCode, CAmelExecCommandExecutable, CAmelExecCommandArgs, CAmelBeanMethodName |
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
