/
CVE-2025-27636 – Remote Code Execution in Apache Camel via Case-Sensitive Header Filtering Bypass

Jul 10, 2025
CVE-2025-27636 – Remote Code Execution in Apache Camel via Case-Sensitive Header Filtering Bypass
Discover the critical Apache Camel vulnerability (CVE-2025-27636) that allows remote code execution via case-sensitive HTTP header manipulation in the exec component. Learn how attackers exploit this flaw and how to mitigate it.
Overview
CVE-2025-27636 is a critical remote code execution vulnerability in Apache Camel that affects the exec component. The flaw arises because Camel’s security filters only check certain sensitive HTTP headers in lowercase, failing to block the same headers submitted in mixed or uppercase casing. Attackers can exploit this oversight to execute arbitrary system commands via HTTP requests.
- CVE ID: CVE-2025-27636
- Severity: Medium
- CVSS Score: 5.6 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
- EPSS Score: 35.5%
- Published: March 19, 2025
- Affected Versions:
- 4.10.0 – 4.10.1
- 4.8.0 – 4.8.4
- 3.10.0 – 3.22.3
- Patched Versions: 4.10.2, 4.8.5, 3.22.4
- Authentication Required: Depends on deployment
- Impact: Remote Code Execution
Apache Camel patched this issue in the above versions by normalizing header names to lowercase before filtering them.
Technical Breakdown
Apache Camel supports a Command Center feature which allows executing OS-level commands via HTTP endpoints. By design, this functionality should be restricted to trusted administrators and protected by strict filtering of certain headers:
- CamelExecCommandExecutable
- CamelExecCommandArgs
However, the vulnerable versions of Camel performed case-sensitive header checks. Passing these headers in mixed casing, e.g. CAmelExecCommandExecutable, allowed them to bypass security filters.
When exploited, the vulnerable Camel instance executes the attacker’s chosen system command under the privileges of the Camel process — which in some deployments, may be running as root.
Conditions for Exploitation
- An attacker must be able to inject or upload malicious XML route definitions
- The vulnerable Camel instance must parse the XML route
- The runtime environment must allow process execution
Note: In some environments, this may require low-privileged authentication if route uploads are gated behind login.
Exploitation
Public PoC
A working public PoC is documented here:
🔗 Akamai CVE-2025-27636 PoC
Exploiting with curl
To exploit the vulnerability, send a request to the vulnerable endpoint with mixed-case headers. For example, executing ls inside /root:
curl "http://10.0.2.15:80/command-center" --header "CAmelExecCommandExecutable: ls" --header "CAmelExecCommandArgs: /"
- Upgrade Apache Camel to:
- 4.10.2+
- 4.8.5+
- 3.22.4+
- Restrict external access to management endpoints like the Command Center.
- Block or sanitize incoming HTTP headers that could influence system behavior.
- Deploy a WAF to detect suspicious header names or payloads.
- Run Camel under a low-privilege user account wherever possible.
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec

Research & Tutorials
CVE-2025-27636 – Remote Code Execution in Apache Camel via Case-Sensitive Header Filtering Bypass
Discover the critical Apache Camel vulnerability (CVE-2025-27636) that allows remote code execution via case-sensitive HTTP header manipulation in the exec component. Learn how attackers exploit this flaw and how to mitigate it.
Jul 10, 2025
2 min read

Research & Tutorials
CVE-2025-29306 – Unauthenticated Remote Code Execution in FoxCMS v1.2.5 via Unserialize Injection
Discover details about CVE-2025-29306, a critical RCE vulnerability in FoxCMS 1.2.5. Learn how unsafe use of PHP’s unserialize() function enables remote attackers to execute arbitrary system commands.
Jul 3, 2025
2 min read

Research & Tutorials
CVE-2024-39914 – Unauthenticated Command Injection in FOG Project’s export.php
Discover details about CVE-2024-39914, a critical unauthenticated command injection vulnerability in FOG Project ≤ 1.5.10.34. Learn how attackers can exploit export.php to execute system commands or deploy persistent webshells.
Jun 26, 2025
2 min read