Threat Report

APACHE UNDER THE LENS: TOMCAT'S PARTIAL PUT AND CAMEL'S HEADER HIJACK A detailed analysis of critical vulnerabilities in Apache Tomcat and Camel

Threat Overview

In March 2025, Apache disclosed three critical vulnerabilities that pose significant risks to millions of developers worldwide. These vulnerabilities include CVE-2025-24813 in Apache Tomcat and CVE-2025-27636 and CVE-2025-29891 in Apache Camel. The flaws allow for remote code execution, making them highly dangerous if exploited. The Tomcat vulnerability exploits partial PUT requests and session persistence features, while the Camel vulnerabilities involve header manipulation. Exploit attempts have been observed from over 70 countries, with a surge in activity immediately following the disclosure of these vulnerabilities.

Detailed Analysis

The threat report provides an in-depth analysis of the vulnerabilities, including source code examination, exploitation methods, and telemetry data. The Apache Tomcat vulnerability (CVE-2025-24813) leverages partial PUT requests to execute arbitrary code on affected systems. This flaw is particularly concerning because it can be exploited without authentication, making it accessible to a wide range of attackers. Additionally, the session persistence feature in Tomcat allows for sustained access to compromised systems, further complicating mitigation efforts.
The Apache Camel vulnerabilities (CVE-2025-27636 and CVE-2025-29891) involve header manipulation, enabling attackers to inject malicious code into HTTP headers. This can lead to remote code execution and data exfiltration, posing a severe threat to the integrity and confidentiality of affected systems.
The report highlights that exploit attempts have been observed from over 70 countries, indicating a global interest in these vulnerabilities. The surge in activity immediately after disclosure suggests that attackers are actively seeking to exploit these flaws before patches can be widely applied.

Operational Security Measures

While the vulnerabilities themselves are critical, the report also discusses operational security measures that can help mitigate the risks. Organizations should prioritize patching affected systems as soon as possible. Additionally, implementing network segmentation and monitoring for suspicious activity can help detect and respond to potential exploits. Regular security audits and penetration testing can also identify and address vulnerabilities before they can be exploited by attackers.

Recommendations for Mitigation

Organizations can implement several measures to mitigate the threat posed by these Apache vulnerabilities:

• Immediate Patching: Apply the latest security patches provided by Apache for Tomcat and Camel as soon as they are available. This is the most effective way to protect against known vulnerabilities.
• Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within the network. This can be achieved by dividing the network into smaller segments and implementing strict access controls between segments.
• Intrusion Detection Systems (IDS): Deploy IDS to monitor network traffic for signs of malicious activity. IDS can help detect and alert on suspicious traffic patterns, allowing organizations to respond quickly to potential threats.
• Endpoint Protection: Implement endpoint protection solutions to detect and block malware on individual devices. Endpoint protection can help prevent the initial infection and limit the spread of malware within the network.
• Security Awareness Training: Provide regular security awareness training to employees to help them recognize and report potential security threats. This can include phishing simulations, training on recognizing suspicious emails, and best practices for password security.
• Regular Backups: Maintain regular backups of critical data to ensure that it can be restored in the event of a ransomware attack or data loss. Backups should be stored offline or in a separate network segment to prevent them from being encrypted or deleted by malware.
• Incident Response Plan: Develop and maintain an incident response plan to ensure that the organization can respond quickly and effectively to security incidents. The plan should include steps for containing the threat, investigating the incident, and restoring affected systems.

By implementing these measures, organizations can significantly reduce the risk of falling victim to exploits targeting Apache Tomcat and Camel vulnerabilities.