Apache Tomcat and Camel Vulnerabilities Actively Exploited in The Wild

Critical vulnerabilities in Apache Tomcat and Apache Camel are being actively exploited by cybercriminals worldwide, with security researchers documenting over 125,000 attack attempts across more than 70 countries since their disclosure in March 2025.

The three vulnerabilities—CVE-2025-24813 affecting Apache Tomcat and CVE-2025-27636 and CVE-2025-29891 impacting Apache Camel—enable remote code execution and pose significant risks to organizations running these widely-deployed Java-based platforms.

Apache Tomcat, the popular web server platform that enables Java-based web applications, is vulnerable through CVE-2025-24813, which affects versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2.

The flaw exploits Tomcat’s partial PUT functionality combined with session persistence features, allowing attackers to manipulate serialized session files and achieve arbitrary code execution.

Apache Camel, an integration framework for connecting diverse systems, suffers from two related vulnerabilities that enable attackers to bypass header filtering mechanisms through case-sensitive manipulation techniques.

Palo Alto Networks researchers identified a dramatic surge in exploitation attempts immediately following the vulnerabilities’ public disclosure, with attack frequency peaking within the first week of March 2025.

The security firm’s telemetry systems blocked 125,856 probes, scans, and exploit attempts, including 7,859 specifically targeting the Tomcat vulnerability.

Analysis of the attack patterns reveals both automated scanning tools and active exploitation attempts, with many attacks utilizing the freely available Nuclei Scanner framework.

The threat landscape has evolved rapidly since the initial disclosures, with proof-of-concept exploits becoming publicly available shortly after Apache released security patches.

The ease of exploitation has lowered the barrier for less sophisticated threat actors, making these vulnerabilities particularly dangerous for organizations that have not applied necessary updates.

Tomcat’s Partial PUT Exploitation Mechanism

The CVE-2025-24813 vulnerability leverages a sophisticated two-step attack process that exploits Tomcat’s handling of partial PUT requests with Content-Range headers.

Attackers first stage their malicious payload by sending an HTTP PUT request containing serialized malicious code, with the filename ending in “.session” to ensure proper caching by Tomcat’s session persistence mechanism.

The initial payload deployment requires specific server configurations, including a disabled readonly parameter and enabled session persistence.

When these conditions are met, Tomcat saves the attacker’s serialized code to two locations: a normal cache file under the webapps directory and a temporary file with a leading period in the work directory.

The exploitation process concludes when the attacker sends a follow-up HTTP GET request containing a carefully crafted JSESSIONID cookie value that triggers deserialization of the cached malicious code.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now