Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack

    Date: 07/04/2025

    Severity: High

    Summary

    In March 2025, Apache disclosed CVE-2025-24813, a critical RCE vulnerability in Apache Tomcat affecting versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2. Two additional RCE flaws, CVE-2025-27636 and CVE-2025-29891, were revealed in Apache Camel, impacting versions from 3.10.0 to 3.22.3 and 4.8.0 to 4.10.1. These issues are significant due to the widespread use of Apache platforms among developers. Patches were released, PoCs emerged quickly, and active scanning began soon after disclosure.

    Indicators of Compromise (IOC) List 

    IP Address : 

    54.193.62.84

    96.113.95.10

    209.189.232.134

    162.241.149.101

    167.172.67.75

    100.65.135.245

    138.197.82.147

    123.16.159.102

    193.53.40.18

    91.208.206.203

    212.56.34.85

    195.164.49.70

    185.91.127.9

    30.153.178.49

    54.147.173.17

    54.120.8.214

    139.87.112.169

    139.87.112.115

    64.39.98.52

    139.87.112.98

    139.87.113.24

    64.39.98.139

    54.96.66.57

    138.197.82.147

    22.85.196.34

    64.39.98.245

    64.39.98.9

    54.120.8.207

    130.212.99.156

    139.87.112.121

    139.87.113.26

    Hash : 

    6a9a0a3f0763a359737da801a48c7a0a7a75d6fa810418216628891893773540

    6b7912e550c66688c65f8cf8651b638defc4dbeabae5f0f6a23fb20d98333f6b

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    IP Address : 

    dstipaddress IN ("167.172.67.75","162.241.149.101","64.39.98.52","185.91.127.9","209.189.232.134","139.87.112.121","91.208.206.203","54.193.62.84","96.113.95.10","100.65.135.245","138.197.82.147","123.16.159.102","193.53.40.18","212.56.34.85","195.164.49.70","30.153.178.49","54.147.173.17","54.120.8.214","139.87.112.169","139.87.112.115","139.87.112.98","139.87.113.24","64.39.98.139","54.96.66.57","138.197.82.147","22.85.196.34","64.39.98.245","64.39.98.9","54.120.8.207","130.212.99.156","139.87.112.121","139.87.113.26") or srcipaddress IN ("167.172.67.75","162.241.149.101","64.39.98.52","185.91.127.9","209.189.232.134","139.87.112.121","91.208.206.203","54.193.62.84","96.113.95.10","100.65.135.245","138.197.82.147","123.16.159.102","193.53.40.18","212.56.34.85","195.164.49.70","30.153.178.49","54.147.173.17","54.120.8.214","139.87.112.169","139.87.112.115","139.87.112.98","139.87.113.24","64.39.98.139","54.96.66.57","138.197.82.147","22.85.196.34","64.39.98.245","64.39.98.9","54.120.8.207","130.212.99.156","139.87.112.121","139.87.113.26")

    Hash : 

    sha256hash IN ("6a9a0a3f0763a359737da801a48c7a0a7a75d6fa810418216628891893773540","6b7912e550c66688c65f8cf8651b638defc4dbeabae5f0f6a23fb20d98333f6b")

    Reference:

    https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cve-2025-29891/


    Tags

    VulnerabilityCVE-2025Apache Tomcat

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags