CVE-2025-27636 – Remote Code Execution in Apache Camel via Case-Sensitive Header Filtering Bypass

Overview

CVE-2025-27636 is a critical remote code execution vulnerability in Apache Camel that affects the exec component. The flaw arises because Camel’s security filters only check certain sensitive HTTP headers in lowercase, failing to block the same headers submitted in mixed or uppercase casing. Attackers can exploit this oversight to execute arbitrary system commands via HTTP requests.

• CVE ID: CVE-2025-27636
• Severity: Medium
• CVSS Score: 5.6 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
• EPSS Score: 35.5%
• Published: March 19, 2025
• Affected Versions:
  • 4.10.0 – 4.10.1
  • 4.8.0 – 4.8.4
  • 3.10.0 – 3.22.3
• Patched Versions: 4.10.2, 4.8.5, 3.22.4
• Authentication Required: Depends on deployment
• Impact: Remote Code Execution
  
  

Apache Camel patched this issue in the above versions by normalizing header names to lowercase before filtering them.

Technical Breakdown

Apache Camel supports a Command Center feature which allows executing OS-level commands via HTTP endpoints. By design, this functionality should be restricted to trusted administrators and protected by strict filtering of certain headers:

• CamelExecCommandExecutable
• CamelExecCommandArgs
  
  

However, the vulnerable versions of Camel performed case-sensitive header checks. Passing these headers in mixed casing, e.g. CAmelExecCommandExecutable, allowed them to bypass security filters.

When exploited, the vulnerable Camel instance executes the attacker’s chosen system command under the privileges of the Camel process — which in some deployments, may be running as root.

Conditions for Exploitation

• An attacker must be able to inject or upload malicious XML route definitions
• The vulnerable Camel instance must parse the XML route
• The runtime environment must allow process execution
  
  

Note: In some environments, this may require low-privileged authentication if route uploads are gated behind login.

Exploitation

Public PoC

A working public PoC is documented here:
🔗 Akamai CVE-2025-27636 PoC

Exploiting with curl

To exploit the vulnerability, send a request to the vulnerable endpoint with mixed-case headers. For example, executing ls inside /root:

curl "http://10.0.2.15:80/command-center" --header "CAmelExecCommandExecutable: ls" --header "CAmelExecCommandArgs: /"

• Upgrade Apache Camel to:
  • 4.10.2+
  • 4.8.5+
  • 3.22.4+
• Restrict external access to management endpoints like the Command Center.
• Block or sanitize incoming HTTP headers that could influence system behavior.
• Deploy a WAF to detect suspicious header names or payloads.
• Run Camel under a low-privilege user account wherever possible.
  

• NVD CVE-2025-27636
• Akamai PoC Exploit
• Apache Camel Security