Full Report
We analyze CVE-2025-24813 (Tomcat Partial PUT RCE) and CVE-2025-27636/29891 (Camel Header Hijack RCE). The post Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack appeared first on Unit 42.
Analysis Summary
# Vulnerability: Remote Code Execution in Apache Tomcat and Apache Camel
## CVE Details
- CVE ID: CVE-2025-24813 (Apache Tomcat), CVE-2025-27636 (Apache Camel), CVE-2025-29891 (Apache Camel)
- CVSS Score: Not explicitly provided, severity implied as high due to RCE.
- CWE: Not specified.
## Affected Systems
- Products: Apache Tomcat, Apache Camel
- Versions:
- **Tomcat:** 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34, 11.0.0-M1 to 11.0.2
- **Camel:** 4.10.0 to 4.10.1, 4.8.0 to 4.8.4, 3.10.0 to 3.22.3
- Configurations: General product usage (Tomcat is used to run Java-based web applications; Camel is a message routing middleware framework).
## Vulnerability Description
Three separate vulnerabilities (one in Tomcat, two in Camel) have been disclosed that allow remote code execution (RCE). Successful exploitation enables an attacker to execute arbitrary code with the privileges of the running Tomcat or Camel instance.
## Exploitation
- Status: Exploited in the wild (Probes/scans/exploit attempts observed)
- Complexity: Not explicitly detailed, but RCE generally implies high impact. Researchers have published PoC exploits.
- Attack Vector: Network (Implied for RCE in web/middleware components)
## Impact
- Confidentiality: High (Implied by RCE)
- Integrity: High (Implied by RCE)
- Availability: High (Implied by RCE)
## Remediation
### Patches
- Patches have been released by Apache for all three vulnerabilities. Organizations are advised to apply these patches promptly. (Specific fixed versions are not listed in the summary, but vendor advisories should be checked.)
### Workarounds
- None explicitly detailed in the summary, immediate patching is recommended.
## Detection
- Indicators of compromise: Scans and probes for vulnerable servers were seen in the wild shortly after disclosure.
- Detection methods and tools:
- Next Generation Firewall (NGFW) with Advanced Threat Prevention subscription can identify and block associated traffic.
- Advanced URL Filtering and Advanced DNS Security can block OAST domains and known malicious URLs related to exploit activities.
- Cortex Xpanse and the ASM add-on for Cortex XSIAM can identify external-facing Apache Tomcat servers using the "Tomcat Web Server" attack surface rule.
## References
- Vendor Advisory (Tomcat): https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
- Vendor Advisory (CVE-2025-27636): https://camel.apache.org/security/CVE-2025-27636.html
- Vendor Advisory (CVE-2025-29891): https://camel.apache.org/security/CVE-2025-29891.html
- Incident Response Contact: https://start.paloaltonetworks.com/contact-unit42.html