Hello and welcome to the Tuesday, April 1st, 2025 edition of the Sands and then the Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Well, and today I found some exploit attempts against a recent Apache Camel

War on Ability. Camel is one of those data exchange frameworks. It's

essentially used to make it easier in enterprise systems to shuffle data from

one system to the other, receive the data, manipulated, and so on.

Recently, they published fairly straightforward to exploit vulnerability.

There are two headers in Camel that can be used to execute operating system commands.

That's kind of the point of these headers.

But they're access controlled and they're

checking if these headers are present or not. The only problem is that when they're checking

if the headers are present, they're looking for specific upper lower case patterns. Well,

kind of camel case. And when it's actually then being executed, the case doesn't matter.

So it's pretty straightforward to bypass the filter by just using all lowercase, all uppercase,

something like that. That's not then blocked by the initial check and the operating system commands will still be executed.

At this point, I wouldn't really sort of call what we're seeing as exploited in the wild.

It looks more like vulnerability scans.

Even the one I have here really looked more like sort of an internal vulnerability scan

that ended up in one of our honeypots for some reason.

Could of course be some internal lateral movement or something like this, but I doubt it is they're using a standard vulnerability scanner here

and don't really think that this is actual attack activity,

but just shows it's extremely easy to exploit this vulnerability.

...