Critical vulnerabilities in Apache Tomcat and Apache Camel are being actively exploited by cybercriminals worldwide, with security researchers documenting over 125,000 attack attempts across more than 70 countries since their disclosure in March 2025. Attackers first stage their malicious payload by sending an HTTP PUT request containing serialized malicious code, with the filename ending in “.session” to ensure proper caching by Tomcat’s session persistence mechanism. The flaw exploits Tomcat’s partial PUT functionality combined with session persistence features, allowing attackers to manipulate serialized session files and achieve arbitrary code execution. The three vulnerabilities—CVE-2025-24813 affecting Apache Tomcat and CVE-2025-27636 and CVE-2025-29891 impacting Apache Camel—enable remote code execution and pose significant risks to organizations running these widely-deployed Java-based platforms. Palo Alto Networks researchers identified a dramatic surge in exploitation attempts immediately following the vulnerabilities’ public disclosure, with attack frequency peaking within the first week of March 2025. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Apache Camel, an integration framework for connecting diverse systems, suffers from two related vulnerabilities that enable attackers to bypass header filtering mechanisms through case-sensitive manipulation techniques. The exploitation process concludes when the attacker sends a follow-up HTTP GET request containing a carefully crafted JSESSIONID cookie value that triggers deserialization of the cached malicious code. The security firm’s telemetry systems blocked 125,856 probes, scans, and exploit attempts, including 7,859 specifically targeting the Tomcat vulnerability. Analysis of the attack patterns reveals both automated scanning tools and active exploitation attempts, with many attacks utilizing the freely available Nuclei Scanner framework. The threat landscape has evolved rapidly since the initial disclosures, with proof-of-concept exploits becoming publicly available shortly after Apache released security patches. The CVE-2025-24813 vulnerability leverages a sophisticated two-step attack process that exploits Tomcat’s handling of partial PUT requests with Content-Range headers. When these conditions are met, Tomcat saves the attacker’s serialized code to two locations: a normal cache file under the webapps directory and a temporary file with a leading period in the work directory. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 03 Jul 2025 16:10:13 +0000