About three weeks ago, Apache patched two vulnerabilities in Apache Camel. The two vulnerabilities (CVE-2025-27636 and CVE-2025-29891) may lead to remote code execution, but not in the default configuration. The vulnerability is caused by Apache Camel using case-sensitive filters to restrict which headers may be used. However HTTP headers are not case-sensitive, and an attacker may trivially bypass the filter.

At this point, the attempts we see originate from authorized vulnerability scanners. I do not call this "exploited" yet, but the exploit is trivial, and actual exploitation is likely, but the number of vulnerable systems is likely small. The vulnerability is still interesting because (a) It uses HTTP headers, and I am currently focusing on HTTP headers (b) it is trivial to exploit.

Here is a sample request:

Host: [victim IP]:9000
Accept-Charset: iso-8859-1,*,utf-8
Pragma: no-cache
camelexeccommandargs: -c 5 -p 5f4f70656e564153565439313338305f [IP address redacted]
camelexeccommandexecutable: ping
User-Agent: [vulnerability scanner]
Connection: Keep-Alive
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Cache-Control: no-cache
Accept-Language: en

Why do I believe that these are authorized vulnerability scans?

1. The target IP of the "ping" is an internal IP address
2. The User-Agent is the name of a well respected security company (redacted to protect the innocent)
3. The victim IP is also an internal IP address.
4. the hexadecimal ping payload decodes to "_OpenVASVT91380_". OpenVAS is an open source vulnerability scanner unsuitable for typical internet wide scans done by attackers we usually observe.

Could this still be an actual attack? Sure. Everything is possible. But it is very unlikely that an attacker would spoof this user agent, and this attacker would already be "inside" the network.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|