Introduction: Understanding the Apache Camel Flaw
On March 9, 2025, Apache released a security advisory for CVE-2025-27636, a vulnerability in the Apache Camel framework that allows attackers to bypass header filtering via miscased headers. Although rated as moderate, this vulnerability specifically affects configurations that use HTTP server components (such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, or camel-netty-http) in combination with the camel-bean component on beans that implement more than one method.
Shortly after, Apache disclosed CVE-2025-29891, a related vulnerability stemming from the same root cause as CVE-2025-27636. This additional exposure indicates that attackers may have multiple avenues to exploit the flaw, potentially increasing the attack surface for affected organizations. Imperva’s defenses successfully mitigate both issues.
In this post, we outline the technical details of this vulnerability, share Imperva’s observations in the wild, and explain how our WAF rules help defend your environment.
Inside the Vulnerability: Unmasking the Header Injection Flaw
The flaw in Apache Camel’s default header filtering mechanism stems from its case-sensitive approach—it only blocks headers beginning with ”Camel”, “camel”, or “org.apache.camel.”. This oversight allows attackers to inject headers using altered casing (e.g., “CAmelExecCommandExecutable” instead of the correct “CamelExecCommandExecutable”). In affected configurations, this permits the unauthorized invocation of internal bean methods.
Imperva’s Findings: Real-World Exploitation Trends
Our threat research team has been actively monitoring exploitation attempts targeting Here are some sample payloads observed in the wild:
In addition to these payloads, our monitoring has compiled data on attack trends—including the top attacked industries and top attacked countries.
The top attacked industries include Financial Services (24%), Computing & IT (24%), and Business (15%). Given their role in handling high volumes of transactions and sensitive customer data, it’s no surprise that these sectors remain prime targets for cybercriminals.
The United States is the most commonly targeted country, at 73%. the UK (7%), and France (4%) follow.
Almost all of the IPs involved in this attack were high risk, meaning that they’ve been involved in frequent, high-severity attacks over the past two weeks.
So far, most observed exploitation attempts for CVE-2025-29891 have been generic “ls” command executions, such as CAmelExecCommandExecutable=ls, indicating initial probing rather than targeted attacks.
Imperva Defense: How Our WAF Rules Block the Threat
While patching Apache Camel to a fixed version is the recommended remediation, not all environments can apply the upgrade immediately.
Imperva’s Web Application Firewall (WAF) offers an additional layer of defense that mitigated these attacks out of the gate with no additional configuration, due to the following capabilities:
- Rules that block the generic code injections commonly found in these payloads, as well as out-of-band domains. All attacks we’ve seen so far contained these two types of payloads.
- Bad bot rules to detect automated tools primarily responsible for these attacks. 98% of attack’s we’ve seen so far originated from bad bots including automated tools or scanners.
- Reputation intelligence to detect risky IPs. 99% of attacks we’ve seen so far originated from IPs with high risk.
Final Thoughts: Future-Proofing Your Security
The Apache Camel vulnerabilities are a clear example of how subtle misconfigurations—in this case, a case-sensitive filtering mechanism—can be exploited in specific yet impactful ways. Imperva remains dedicated to securing your applications through advanced threat detection and mitigation strategies. Whether through timely patching or leveraging our WAF rules, we aim to ensure your critical systems remain resilient against evolving threats.
Try Imperva for Free
Protect your business for 30 days on Imperva.
